[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP incroyable!

On 30/11/2014 02:33, Arroyo, David wrote:

There are a number of really good clients to help with the issues
you’re having.  ldapvi[0] is a pretty simple client that lets you
edit ldap objects in vi and commit the differences. Apache Directory
Studio[1] is a more heavyweight, feature-complete client built on
top of eclipse.
Sorry to butt in, but the apache studio works with openldap too? I was under the impression it was just for ApacheDS. If it works with openldap I might give it a shot as it has been rather sticky with the other tools I've tried. 

I really recommend you use one of these, it will make your life
easier, as you seem to be making a lot of basic mistakes. If you
get used to modifying your config in this way, you will learn to
appreciate being able to make config changes without restarting
slapd, and being able to replicate configuration between servers.

I found the olc config backend challenging when I first used it,
but now I would not go back to the config file-based format.

[0]: http://www.lichteblau.com/ldapvi/
[1]: http://directory.apache.org/studio/

On Nov 26, 2014, at 12:55 PM, Quanah Gibson-Mount <quanah@zimbra.com> wrote:


--On Wednesday, November 26, 2014 12:13 PM +0100 Onno van der Straaten <onno.van.der.straaten@gmail.com> wrote:


And....another one. Amazing. So hard to understand the OpenLDAP
interface. Might just as well have been in Chinese.



$ ldapmodify -h zimbra.server.com -p 389 -D "cn=config" -f
olc_password_hash.ldif -W
ldap_initialize( ldap://zimbra.onknows.com:389 )
Enter LDAP Password:
replace olcPasswordHash:
{SSHA}
modifying entry "olcDatabase={-1}frontend,cn=config"
modify complete


So the "modify complete" sort of suggestive of some kind of success
completion or change applied. One would think. No.


The olcPasswordHash was "modified complete" to have exact same value as
before. Sort of expected OpenLDAP to be "unwilling to perform", which
often it is. Not now. It just is "willing to ignore". Almost human.

Your list of complaints so far:

a) You told OpenLDAP to load a file that didn't exist
b) You modified a file, by hand, where the first comment in the file is:
  # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
c) In doing (b), you failed to preserve proper file permissions
d) You failed to use the correct tools for doing what you wanted to do, after you broke the configuration (slapcat/slapadd)

I'm not really sure what to make of your above complaint.  It seems you are saying you think it is an error for ldap to replace a value with itself? All LDAP servers will do that with a replace operation.

I.e., there is significant user error present here, and you got yourself into a bad spot, and made it worse via your own actions.  A lack of understanding how to use a piece of software does not indicate the software itself is flawed.  I will agree that it takes some time to learn how to work with LDAP in general, regardless of it is OpenLDAP, 389, Apache DS, etc.  It may indeed be best in your case, to have a graphical UI hiding the grisly details from you, since those details are apparently causing significant challenge in your case.  However, in the long run, it pays off significantly to understand the technology you're attempting to use.

--Quanah

--

Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration