Quoting "Brett @Google" <brett.maxfield@gmail.com>:
But the benefits come from synergy of using ldap as the internal config structure should not be overlooked, there are strongly typed data storage, fast lookups, and reams of boilerplate code being thrown away. But presently we still need a binary (executable) to turn that cn=config text format into something slapd can boot up and use. Given the text -> cn=config code is present already, is there really that much work to leaving it there?
Since the cn=config is simply the conversion of one LDIF file into a hierarchical directory structure of LDIF files, there isn't any conversion needed for slapd to be able to use it or write to it for that matter - slapadd already exists. Only thing that is needed is some filesystem directory traversal logic in order to write out the LDIF hierarchy.
But can we reliably create the slap.d config file with deployment scripts directly, as it also seems to just be text.
I have built a fully automated installation system directly using cn=config. I have a file called config.ldif which contains a lot of %%MACROS%% and a tiny perl script that replaces those macros with actual values depending on the details of the particular installation. So, there isn't any of this silliness of creating slapd.conf, converting it into cn=config, and then continuing - that's an unnecessary step.
After I generate the real config.ldif from the template config.ldif, I simply load it with slapadd to build my cn=config hierarchy.
slapadd \
-n0 \
-v \
-F ${CONF_DIR} \
-l ldifs/config.ldif
Repeat the process to load the DIT skeleton into n2 with slapadd,
slapindex n2 (needed if the DIT skeleton is huge like mine), fire up
the server and do the rest of the work.
My cn=config is replicated across servers so that access control, tuning, and indices, for example, only need to be added to one server over the wire. And they only need to be dumped from one server, over the wire. That is a workable management interface.
My entire installation system: TLS certs, replication, DIT skeleton, service admin users, access control, tuning, indexing, everything - it takes less than 2 minutes and is 100% hands free.
-mike