[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP browsers and cn=config



----- "Gervase Markham" <gerv@mozilla.org> wrote:

> On 07/03/11 21:33, Howard Chu wrote:
> > Gervase Markham wrote:
> >> On 07/03/11 17:49, Gervase Markham wrote:
> >>> oldRootDN: cn=admin,cn=config
> >> ----^
> >>
> >> And that would be the problem :-|
> >>
> >> Thank you for your help.<shuffles feet in an embarrassed fashion>
> >
> > cn=config is an LDAP database, it is not a collection of files for
> you
> > to edit by hand.
> 
> Although presumably if you manage to mess up your configuration
> enough, 
> that's what you have to do.

But, how did you mess it up so bad in the first place?

 I've seen "you can edit the files by hand
> if 
> it all goes wrong" used as an argument for using the LDIF backend for
> 
> cn=config in the archives of this very mailing list, if I'm not
> mistaken.
> 
> > You are supposed to use ldapmodify on it, for reasons
> > of this very nature. I.e., ldapmodify gets syntax-checked and
> stupid
> > typos of this sort get caught.
> 
> But being able to edit the database is precisely the problem I had!
> It's 
> rather chicken and egg.
> 
> > If you had used "ldapmodify -H ldapi:/// -Y EXTERNAL" to add the
> desired
> > attributes you wouldn't have these silly problems.
> 
> Yes, of course - because Real Men use commands with a minimum of 4 
> command-line flags to do any operation, and if I'm not up to that, I 
> can't possibly be worthy to use OpenLDAP.

echo -e "URI ldapi:///\nSASL_MECH EXTERNAL" >> ~/.ldaprc

Then you won't have to use 4 commandline flags in future. 

> > If your LDAP browsers don't support ldapi:/// that's their
> deficiency...
> 
> I don't even know what the "i" in ldapi is, or how it's different from
> 
> ldap://. And this search of the OpenLDAP documentation is sadly 
> unenlightening:
> 
> http://www.google.co.uk/search?hl=en&q=ldapi%20site%3Aopenldap.org/doc
> 
> Can you tell me which LDAP browsers do support this scheme? After all,
> 
> the other part of my message was asking for advice on which was best.
> 
> 
> There are two ways you, the development team, can think about
> OpenLDAP:

Which development team shipped your config, and set you up with config editing using ldapi, but didn't think it was a good idea to populate root's .ldaprc ?

Probably not the OpenLDAP team.

Regards,
Buchan