Re: LDAP browsers and cn=config

[Howard Chu <hyc@symas.com>]

Gervase Markham wrote:
> On 07/03/11 21:33, Howard Chu wrote:
> > Gervase Markham wrote:
> > > On 07/03/11 17:49, Gervase Markham wrote:
> > > > oldRootDN: cn=admin,cn=config
> > > ----^
> > >
> > > And that would be the problem :-|
> > >
> > > Thank you for your help.<shuffles feet in an embarrassed fashion>
> >
> > cn=config is an LDAP database, it is not a collection of files for you
> > to edit by hand.
>
> Although presumably if you manage to mess up your configuration enough,
> that's what you have to do. I've seen "you can edit the files by hand if
> it all goes wrong" used as an argument for using the LDIF backend for
> cn=config in the archives of this very mailing list, if I'm not mistaken.

As a last resort, not a first measure. You should also have seen in the 
archives "cn=config is a slapd database and like any other slapd database, the 
format is subject to change without notice." We may well shift it to a purely 
binary format down the road.

> > You are supposed to use ldapmodify on it, for reasons
> > of this very nature. I.e., ldapmodify gets syntax-checked and stupid
> > typos of this sort get caught.
>
> But being able to edit the database is precisely the problem I had! It's
> rather chicken and egg.

You're apparently working with a slapd that had a pre-canned config. If the 
means of accessing the config wasn't obvious to you, then you should be taking 
this up with your distro or whoever provided the canned config to you.

> > If you had used "ldapmodify -H ldapi:/// -Y EXTERNAL" to add the desired
> > attributes you wouldn't have these silly problems.
>
> Yes, of course - because Real Men use commands with a minimum of 4
> command-line flags to do any operation, and if I'm not up to that, I
> can't possibly be worthy to use OpenLDAP.

You can always set these as defaults in /etc/openldap/ldap.conf. Again, if 
whoever provided your configs to you didn't set this up or document it 
clearly, your beef is with them, not the OpenLDAP community. We don't control 
what distros do.

> > If your LDAP browsers don't support ldapi:/// that's their deficiency...
>
> I don't even know what the "i" in ldapi is, or how it's different from
> ldap://. And this search of the OpenLDAP documentation is sadly
> unenlightening:
>
> http://www.google.co.uk/search?hl=en&q=ldapi%20site%3Aopenldap.org/doc

http://www.openldap.org/devel/cvsweb.cgi/doc/drafts/draft-chu-ldap-ldapi-xx.txt?hideattic=1&sortbydate=0

> Can you tell me which LDAP browsers do support this scheme? After all,
> the other part of my message was asking for advice on which was best.

Anyone built on top of libldap would support it implicitly. I don't keep tabs 
of browsers, so I can't recommend one to you.

> There are two ways you, the development team, can think about OpenLDAP:
>
> A) "You have to prove your worthiness to use this software by having a
> wide knowledge of Unix history, unwritten conventions, cryptic man-pages
> and a perfect recall of command-line options. Searchable documentation
> on the web - pah!"
> http://farm1.static.flickr.com/87/240803829_9212773615_o.png

Nonsense. 90% of the OpenLDAP installs in the world are on POSIX-based 
systems. If you're using one of these systems and you haven't learned how to 
use the most common Unix commands you're doing yourself a disservice. It's not 
our job to teach you the basics of getting proficiency with your OS.

You don't have to prove anything to me or anyone else; you simply have to have 
the skills that any Unix sysadmin must already possess to have any hope of 
doing the job of a sysadmin. The most basic of these is the ability to 
actually read documentation and pay attention to the details. You miss the 
details and you wind up typing "rm -rf *" in the wrong directory.

> B) "We want to lower barriers to entry and make it easier to use."

We want to make it easier to use, of course, for *system administrators*. This 
is not a browser or an email client that Joe Sixpack will use every day. It's 
core infrastructure that the majority of the world will never see and never 
needs to know about. For that minority of people who need to know, you have 
your work cut out for you already. You better already understand IP and TCP 
intimately, and you better know how to tune your OS because you're going to 
need that kind of knowledge to do your job, whether OpenLDAP is a part of it 
or not.

System administration is not for children. Don't ask to be coddled like a 
child; that's not what we're here for.

> If the answer is B), then instead of telling me that I'm an idiot, you
> might wish to reflect on what lessons can be learnt from my experience
> to help other people in the future.

> I must say that my experience with the OpenLDAP community thusfar has
> not thrilled me with joy at the prospect of using the software for my
> project. I speak as someone whose day job is nurturing, growing and
> encouraging open source communities.

Don't blame the community for your own unpreparedness. If your distro didn't 
document their chosen configuration well enough to prepare you, then your 
complaint is with them, not us. The community is the folks who have stepped in 
to bail you out when you were going the wrong direction, we didn't send you in 
the wrong direction in the first place.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/