[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Root DSE



Julio Sánchez Fernández writes:
>Kurt D. Zeilenga wrote:
>> Why LDIF?  Using LDIF to specify configuration information lends
>> itself to placing configuration information in the directory which
>> lends itself to dynamic modification...
> 
> Well, yes, I think I agree and yet..., well I don't know.

If it's the format which bothers you: Yes, the current slapd.*.conf
format is nice, and it's nice to have them in a separate file.  But it
would be easy to write a progam to convert them to ldif format.

> It would be nice to have ACLs stored in the directory.

Yup.  I _need_ that.

> Moreover, do you know what I would kill to have?  Stored perl
> procedures...  That get called on modifications to enforce policy,
> referential integrity, etc.

Sounds like a wonderfully strong security hole.  If someone manages
_once_ to get the slapd master password, he can insert perl procedures
which will possibly be run as root (if slapd is running at port 389).
If these stay buried in the back-ldbm/bdb2 base, it will be damn hard
for the sysadmin to track them down.

> I guess you want this because some tools don't need the whole syntax
> bang, right?  Anyway, I think we should always remember that little
> thing we have there called ldapd, we tend to disregard it as if some
> embarrassing relative.  Probably not many of us use it.  I don't know
> how ldapd could make use of this.

I suggest ldapd is left as it is.  Newer X.500 servers also support
LDAP, and the old public-domain quipu server has Y2K bug (I don't know
how severely).  All that is left is usages like where I run 3 modified
ldapd servers that give 3 different character sets; and my version is
only safe for read operations.

> Well, of course, if any component needs the oids, it's got to be it...

-- 
Hallvard