[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Olc deployment vs slapd.conf based deployment
- To: openldap-technical@openldap.org
- Subject: Re: Olc deployment vs slapd.conf based deployment
- From: Christopher Wood <christopher_wood@pobox.com>
- Date: Tue, 19 Sep 2017 09:32:26 -0400
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to:content-transfer-encoding; s=sasl; bh=FhIqXz4fWMbqu D5vWhXWghHC0Rw=; b=atrBnPZsl0IX9TL27GsoC2nr3tnbwtJiynRJYCukgp3wc AFOrjpDjkZlLsxGyQseKyWexloWTSCN1HHHhVavLrDeMcZ9WpN/Bd2f+Yk+frrQO iUJ/uWDoH7f4WOw+SBQhWTqEt01P+4iP5mdoM0dW+08kiw/foVIPdnkiecsQvI=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to:content-transfer-encoding; q=dns; s=sasl; b=YvRxx4R uHBKZNCJo/S+3Zjn6ygykv3bl+x8Y0SHwO+hVj/RJ2PkOC4oPyZ9rRHRM8uBgB7S G/8Fi20C+1pXUwAS9cKEY3S4gZYqsTeYNlq78WVGsJjYhcYsPm1MoTM4/Io5KYMm I/jXG1+HpSmMlyKoLNhJdHSwYu0VB59D8VXc=
- In-reply-to: <b04ab27a-be38-66bd-8c6e-b7c526e9e67f@stroeder.com>
- References: <b7d93005-3de5-5b9a-630e-d93510bd9b44@ironicdesign.com> <WM!c441031e673082de9904bb70fc818ffda9b9f7dd5392e09c37cc5ccb7332246257b6daf5a456f233f94aa06df0aea0f3!@mailstronghold-1.zmailcloud.com> <77336596566E63C254BF34B5@[192.168.1.30]> <afa5f660-e586-a830-19d9-2c2bbc90b919@ironicdesign.com> <WM!fe6e16114753708ff45ba7879536ac76fe5e5274b6a05ee3e50c91f19d4ac454efa50528f8ee0f218019bcec1525554d!@mailstronghold-2.zmailcloud.com> <F37BF0AA214A914FD21C1B1D@[192.168.1.30]> <4889c886-9473-252a-eeb5-8078ac2023b1@stroeder.com> <WM!3a13dfeed761ec6d4460a070ba2a964a3539d3df54fb0ca9ff22e6d5392cfdec479fac041fc447a09685f8f7e0456d39!@mailstronghold-1.zmailcloud.com> <FB3976300B3CA26BE98F601B@[192.168.1.30]> <b04ab27a-be38-66bd-8c6e-b7c526e9e67f@stroeder.com>
- User-agent: NeoMutt/20170113 (1.7.2)
On Mon, Sep 18, 2017 at 08:01:31PM +0200, Michael Ströder wrote:
> Quanah Gibson-Mount wrote:
> > > So instead of writing a single file (in one FS transaction) after
> > > letting slaptest check it I have to write several files (multiple
> > > FS operations), diff that and then apply multiple LDAP operations.
> >
> > Hm? How is this any different really than tracking slapd.conf in git?
> > And plenty of people break out slapd.conf into multiple files and use
> > "include" handling to pull, such as with schema, ACLs, etc. I see no
> > difference here.
>
> (Except the schema files) I break up slapd.conf in several *templates* but
> the config management (currently ansible) generates a single slapd.conf file
> on the target system. So after the includes in the template engine there is
> a single file transferred to the target and installed there.
>
> > > Yeah, sounds really great regarding error handling.
> >
> > How does this differ from slapd.conf? You get no error handling with
> > that, either, if you modify it and commit it to git.
>
> I had some detail issue with slaptest I have to revisit. But mainly I want
> to use "validate: slaptest..." in the ansible template task to avoid
> installing a broken slapd.conf. Yes, that's feasible even with a directory
> tree. But it needs much more work/caution without added value.
>
> Ciao, Michael.
>
It feels like it would be relatively trivial to run a cn=config managed by a configuration management system. I've already gotten puppet to stand up a multimaster pair where the replication Just Works (at two jobs now), so ensuring that the CM doesn't mess up the existing cn=config seems fairly trivial with the -F option to slapd.
The ingredients and sequence (I have a+b and that's fine for me right now):
a) ldif template, creates an ldif file on the host
b) slapadd exec which runs (only once) on the ldif to populate a specific cn=config directory, requires the ldif file to exist
c) exec which runs slaptest on that directory, requires the slapadd exec to ahve succeeded
d) init script template where -F points to that directory, service restart requires the slaptest to have succeeded
If I hook everything on to the template name then I would get:
1) the ldif
/etc/me/config_one.ldif
2) cn=config
/opt/openldap/etc/openldap/config_one/cn=config.ldif
3) init script (cut-down example)
stop() {
kill `cat /var/run/openldap.pid`
}
start() {
/opt/openldap/libexec/slapd -F /opt/openldap/etc/openldap/config_one
}
restart() {
start
stop
}
This seems like it would work because the init script stop doesn't rely on the cn=config directory being known, and every config change is a different template. I could also work out something deft with the commit hash of the git repository holding the templates combining with the template filename to make something more unique so that templates themselves could change, but you get the general idea.