[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Antw: Re: On removing a duplicated ppolicy overlay
- To: <quanah@symas.com>,<dannyman@toldme.com>
- Subject: Antw: Re: On removing a duplicated ppolicy overlay
- From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
- Date: Tue, 04 Dec 2018 08:38:25 +0100
- Cc: openldap-technical@openldap.org
- Content-disposition: inline
- In-reply-to: <CAKU=tE8u-sSzUTx1_S1LsNF3FqNtQ5eYzZu9j785gpZB5F2wbA@mail.gmail.com>
- References: <CAKU=tE9PiQ29n7_dLVES=MnE6tPADqynX+LpO5dA=SB783V1Wg@mail.gmail.com> <88DB8B834CC02FD6842DC979@192.168.1.39> <CAKU=tE_O8Yn958OcJfm+Kdd7dZN=O61HGeQ0tmuUR1z0+6QGCw@mail.gmail.com> <15C02D11C82898E73A66D7B2@192.168.1.39> <CAKU=tE8u-sSzUTx1_S1LsNF3FqNtQ5eYzZu9j785gpZB5F2wbA@mail.gmail.com>
>>> Daniel Howard <dannyman@toldme.com> schrieb am 03.12.2018 um 22:57 in Nachricht
<CAKU=tE8u-sSzUTx1_S1LsNF3FqNtQ5eYzZu9j785gpZB5F2wbA@mail.gmail.com>:
> On Wed, Nov 28, 2018 at 11:05 AM Quanah Gibson-Mount <quanah@symas.com>
> wrote:
>
>> --On Wednesday, November 28, 2018 10:16 AM -0800 Daniel Howard
>> <dannyman@toldme.com> wrote:
>>
>> ># This file MUST be edited with the 'visudo' command as root.
>> >
>> > Perhaps this is a consideration that is already on the roadmap?
>>
>> You mean like it already does? :)
>>
>> head -1 cn\=config.ldif
>> # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
>>
>
> Quanah, (and Howard)
>
> That is certainly a warning. It would be more easily noticed with a bit
> more whitespace around it, as you find in the sudoers file. This warning is
> not as helpful as the visudo warning, as it does not give the user a way to
> edit the file. A wrapper script, or a link to a good document on managing
> configurations, would be more useful.
>
> For example, if I follow the advice in sudoers, and I type "visudo" then I
> get to edit /etc/sudoers, with a validation before the file can go live.
> This is fantastic!
You miss one important thing: /etc/sudoers is expected to be edited by humans, while the cn=config ares are not!
>
> If I follow the advice here, and type "ldapmodify" then I get an error
> message. If I research the correct command line, then, in my experience, I
> manage to import multiple conflicting configs into the system that crash
> the server. I then research some more, and find that ldapmodify can not
You can backup your server before doing changes, undoing changes afterwards.
> delete the conflicting configs. I research some more, and learn that I
> could just remove them from the filesystem. As I wish to be a good citizen,
> I share this knowledge, and I am told that this is wrong, and I need to use
> slapcat to export, delete my config files, then slapadd to import, using a
> different set of flags than ldapmodify. Perhaps, you can spare a moment of
> empathy to acknowledge how frustrating this must be for a user.
Well, removing files actually works a bit, but only as a temporary solution until you get slapd up and running.
It's like entering the house through a broken window when you forgot your key...
>
> I appreciate your warnings, but given the cumbersome and, in my experience,
> dangerous nature of managing config files through ldapmodify, I am inclined
> to very carefully tweak the config files in the config directory. If,
No: Actually changing config files through ldapmodify is _much_ safer than editing them by hand.
> however, there was a convenient, safe wrapper, like visudo, or a reference
> to a reassuring doc that explains the right way to do things, then I would
> preach the good news.
See my first statement.
>
> A potentially minor improvement along these lines could be a very nice
> feature enhancement for OpenLDAP. Thank you for your consideration.
Maybe a better enhancement would be a snapshotting mechanism for cn=config to save a "last good" configuration, combined with an easy (automatic?) recovery to that if the current configuratioin fails to launch slapd.
Regards,
Ulrich