[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back-config design considerarions - Admin Guide fodder

Howard Chu wrote:
> I still find the juggling between back-config and frontendDB a bit
> confusing (and I wrote the darn thing...) which is another reason for
> writing out this explanation. It's a bit like a Klein bottle - the
> frontendDB encompasses all of the backends, but the config backend also
> contains the frontend and all the backends.

Howard, glad you come up with this discussion. While playing around with
web2ldap and its LDIF templates to ease creation of database backends
I'm still trying to make up my mind about back-config:

If I'm using option -f slapd.conf and -F configdir/ together which
config data is authorative? Well, everything from slapd.conf gets
automagically converted to LDIF in configdir/. But if something's
changed in slapd.conf and slapd is again started with -f and -F which
config data wins? I'd guess most users would expect slapd.conf to win
but this would violate the concept of changing the config via LDAP.

IMHO it's a can of worms. Maybe it's worth considering to disallow use
of -f and -F together and instead provide a separate config conversion
tool under sbin/ which is clearly used *once* by the server's admin.

Also consider the support cases regarding schema on openldap-software
list: Often people don't use the recent schema files and they experience
duplicate schema definitions if schema elements are hard-coded (moved to
schema_prep.c). With various LDIF files in configdir/ upgrading schema
might be harder.
(I'm against using hard-coded schema definitions anyway but we already
discussed that...)

> back-config only allows its rootdn user to access it, and a mechanism is
> needed to configure authentication credentials for this rootdn. (The
> rootdn itself is hardcoded to "cn=config" of course.) One possibility is
> to use a SASL Bind and use sasl-regexp/authz-regexp to map an admin's
> SASL username to the cn=config DN.

In case of using ldapi:// with SASL EXTERNAL I'd vote for mapping user
'root' (UID 0) and the user under which slapd was started (-u) to cn=config.

Err...are sasl-regexp/authz-regexp global or backend-specific directives?

> But for Simple Bind, we need a rootdn
> and rootpw. For bootstrapping from a slapd.conf file you can use a
> "database config" clause and set the rootpw there.

Hmm, again I'd vote for having a basic setup solely by LDIF files in
configdir/ and ignore slapd.conf completely. This isn't more complicated
to install than a small bootstrap-slapd.conf.

With back-config it's much easier to implement tools to either write a
basic setup to LDIF files in configdir/ or to tweak the configuration
via LDAP because one can use existing modules for LDAP/LDIF. But the
current situation mixing both config sources makes it hard to decide
which route to go.

My conclusion:
Drop -f slapd.conf completely in 2.3.x and rather develop good setup

Ciao, Michael.