Re: olcGlobal vs. olcFrontendConfig

[Howard Chu <hyc@symas.com>]

Michael Ströder wrote:
> HI!
>
> I have to admit that when writing a static slapd.conf I do not make any distinction
> regarding global config section and frontend config section.
>
> So I wonder which criteria are applied to determine whether a parameter is put into
> cn=config (olcGlobal) or olcDatabase={-1}frontend (olcFrontendConfig) when converting
> slapd.conf to dynamic config.

In OpenLDAP 2.3 most global parameters were put into olcGlobal. We moved 
parameters into olcFrontendConfig in OpenLDAP 2.4 whenever we found an item 
that might depend on a loadable module, since olcModules are processed after 
olcGlobal. The parser still accepts these items in olcGlobal, to retain 
compatibility with configs migrated from 2.3, but in freshly generated 
configs, the 2.4 olcGlobal will omit them.

> Looking at a concrete configuration it does not make sense to me to put attribute
> olcPasswordHash into olcDatabase={-1}frontend while putting
> olcPasswordCryptSaltFormat into cn=config. There could even be conflicting values in both
> entries.

A salt format is just a plain string, so it has no particular dependencies. A 
hash requires actual code to implement it, and may depend on olcModule.
> Background: I'd like to determine which password hash scheme and salt format is
> configured by searching in back-config.
>
> Ciao, Michael.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/