[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ang. RE: Bdb defaults - WAS: problem importing entries.

> Hash: SHA1
> Pierangelo Masarati wrote:
> | You see, one approach I sometimes favour (and I've been working towards
> | this in ACLs, for instance) is not to have any defaults.  All legal
> | parameters MUST be present in a configuration file, and implementations
> | shoudl bail out if any is absent; issues may arise when parameters are
> | incompatible, but some crafting should allow this to be worked out (e.g.
> | allowing a value of "undefined" for those that are incompatible).  Of
> | course, users should be given up-to-date templates to start with, so
> they
> | don't really have to read ALL about ANY parameter to be able to simply
> | "give it a try".  I think defaults really make things tricky, because
> they
> | hide a lot of knowlegde about what can be important and even about how
> | things behave, and then one always needs to remember (or look up)
> default
> | values; this approach would really make things simpler, because
> everything
> | would be in the slapd.conf.  Would you consider this a better approach?
> |
> I don't think Frank meant that there should be compiled-in defaults, but
> that the config files should have good defaults.
> We ship a default slapd.access.conf which we include into slapd.conf,
> with some comments on it, so that at least:

also OpenLDAP's slapd.conf comes with comments in it; I've seen those
comments evolve a bit over time,driven by users' comments.  I totally
favour add-ons by distributors; only, my only guideline is: don't blame
developers for distributors' add-ons, so make it clear wha's original and
what's distributed.

> - -users/admins don't end up with no ACLs protecting passwords (I have
> seen this far too often on servers running other distros ... including
> servers set up by colleagues)
> - -users/admins see the features available with regex-based ACLs etc
> - -can learn more easily how they work
> In many cases, a user's first interaction with the available parameters
> is in the default config file ... so it needs to cover all the critical
> parameters (checkpointing, indexing and ACLs I think qualify)

I think there are comments about this in slapd.conf

> Currently, the slapd.conf provided with the source distribution doesn't
> have any active ACLs (and,it seems that ACLs outside the database
> definition don't work anymore, and the example ACLs that are commented
> out are outside database definitions)

This is another issue.  please use the ITS if you think there's a bug. 
Note that this part of ACLs has been the subject of a debate recently;
global scope ACLs are supposed to behave as they used to be from all
times; only, they are evaluated AFTER those database specific; so if you
have something like

# ...
access to attrs=userpassword
    by * =x

database xxx
# ...
access to *
    by * read

then of course the global rule will never be used.  I'm positive
the behavior didn't change; if it did, then it's an error and deserves
an ITS.

> or a checkpoint entry in the
> single example bdb database.


Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497