[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Ang. RE: Bdb defaults - WAS: problem importing entries.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Pierangelo Masarati wrote:
> | You see, one approach I sometimes favour (and I've been working towards
> | this in ACLs, for instance) is not to have any defaults. All legal
> | parameters MUST be present in a configuration file, and implementations
> | shoudl bail out if any is absent; issues may arise when parameters are
> | incompatible, but some crafting should allow this to be worked out (e.g.
> | allowing a value of "undefined" for those that are incompatible). Of
> | course, users should be given up-to-date templates to start with, so
> they
> | don't really have to read ALL about ANY parameter to be able to simply
> | "give it a try". I think defaults really make things tricky, because
> they
> | hide a lot of knowlegde about what can be important and even about how
> | things behave, and then one always needs to remember (or look up)
> default
> | values; this approach would really make things simpler, because
> everything
> | would be in the slapd.conf. Would you consider this a better approach?
> |
>
> I don't think Frank meant that there should be compiled-in defaults, but
> that the config files should have good defaults.
>
> We ship a default slapd.access.conf which we include into slapd.conf,
> with some comments on it, so that at least:
also OpenLDAP's slapd.conf comes with comments in it; I've seen those
comments evolve a bit over time,driven by users' comments. I totally
favour add-ons by distributors; only, my only guideline is: don't blame
developers for distributors' add-ons, so make it clear wha's original and
what's distributed.
> - -users/admins don't end up with no ACLs protecting passwords (I have
> seen this far too often on servers running other distros ... including
> servers set up by colleagues)
> - -users/admins see the features available with regex-based ACLs etc
> - -can learn more easily how they work
>
> In many cases, a user's first interaction with the available parameters
> is in the default config file ... so it needs to cover all the critical
> parameters (checkpointing, indexing and ACLs I think qualify)
I think there are comments about this in slapd.conf
>
> Currently, the slapd.conf provided with the source distribution doesn't
> have any active ACLs (and,it seems that ACLs outside the database
> definition don't work anymore, and the example ACLs that are commented
> out are outside database definitions)
This is another issue. please use the ITS if you think there's a bug.
Note that this part of ACLs has been the subject of a debate recently;
global scope ACLs are supposed to behave as they used to be from all
times; only, they are evaluated AFTER those database specific; so if you
have something like
<slapd.conf>
# ...
access to attrs=userpassword
by * =x
database xxx
# ...
access to *
by * read
</slapd.conf>
then of course the global rule will never be used. I'm positive
the behavior didn't change; if it did, then it's an error and deserves
an ITS.
> or a checkpoint entry in the
> single example bdb database.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497