[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?

To: <openldap-technical@openldap.org>
Subject: Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
From: "Michael StrÃder" <michael@stroeder.com>
Date: Fri, 07 Feb 2014 13:35:23 +0100
In-reply-to: <alpine.SOC.2.02.1402061637110.26738@toolbox.rutgers.edu>
References: <CAPcb_GK5B=-PzNuxY8wNkh+n-FRhnv0snDAcLYxjqhun1H97Bw@mail.gmail.com> <52EA7F3D.2090905@symas.com> <DBB1B1AD-EE28-4E1E-AF18-9974DC9CC06B@bayour.com> <52EA8929.2010309@symas.com> <59281912-8B90-495E-8FAC-99330FF17CD4@bayour.com> <52EA9B80.6030309@symas.com> <973E272C-A2BC-4C0B-B943-479EB299D4A5@bayour.com> <E092458822F5A957DE3F6C2F@[192.168.1.2]> <070e01cf1eeb$ded56ab0$9c804010$@acm.org> <A6E68C705577FC2E916E209E@[192.168.1.2]> <0ad801cf2382$2467b250$6d3716f0$@acm.org>, <alpine.SOC.2.02.1402061637110.26738@toolbox.rutgers.edu>

Aaron Richton <richton@nbcs.rutgers.edu> wrote
> On Thu, 6 Feb 2014, Paul B. Henson wrote:
> 
> >> Our servers do a nightly backup of cn=config via slapcat -n 0, and 
> >> those are kept for a month.  Since this is for clients, there's no 
> >> revision control involved, but it would be trivial for someone to check 
> >> in the resulting LDIF file into their favorite RCS system.
> >
> > Hmm, so the revision control system would transition from being the 
> > authoritative source of what the configuration is (ie, in our current 
> > system, if somehow the running configuration deviated from the version 
> > in revision control, it would automatically be corrected back) to simply 
> > becoming a record of whatever changes happen to have been made on the 
> > running configuration?
> 
> Off the top of my head, I'm not really seeing this. With slapd.conf:
> 
> (human on workstation)
> $RCS checkout repo/production.slapd.conf
> $EDITOR !$
> $RCS checkin repo/production.slapd.conf
> 
> (magical config overlord/human on server)
> $RCS checkout repo/production.slapd.conf
> cp repo/production.slapd.conf /server/production.slapd.conf
> pkill slapd
> slapd
> 
> 
> or slapd.d:
> 
> (human on workstation)
> $RCS checkout repo/production.slapd.ldif
> $EDITOR !$
> $RCS checkin repo/production.slapd.ldif
> 
> (magical config overlord/human on server)
> $RCS checkout repo/production.slapd.ldif
> ldifdiff /server/production.slapd.ldif repo/production.slapd.ldif >
> /tmp/diff.ldif ldapmodify [...] -f /tmp/diff.ldif
> slapcat -n0 -l /server/production.slapd.ldif
> 
> These both end up with the same state, and it's the same number of 
> commands! You can checkout and revert to the latest head/trunk/etc. or any 
> arbitrary rev with either config format. Monitoring in-core vs. on-disk 
> vs. expected-in-production committed config is possible in both cases and 
> actually easier/more comprehensive with cn=config. If "magical config 
> overlord" is a cron job then "automatically be corrected" happens with 
> both of these workflows. How are your hands tied in this case?

I'm checking in the VCS and from there the automated configuration (puppet,
ansible etc.) does the rest of it. Automatically diffing config DBs and apply
the changes is far more complicated than diffing text files. Especially the
latter gives you far better text logs of which changes were done.

Ciao, Michael.

References:
- RE: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
  - From: "Paul B. Henson" <henson@acm.org>
- RE: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- RE: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
  - From: "Paul B. Henson" <henson@acm.org>
- RE: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

Prev by Date: Re: OpenLDAP static configuration
Next by Date: Antw: Simple way to check that MMR is in sync?
Index(es):
- Chronological
- Thread