[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Installation openLDAP in Debian



Hi Howard,

> The directory structure under slapd.d is private/internal to slapd.
> Forget it is even there. As far as you're concerned, it does not even exist.

Could you please concretly explain how you let say tune or add
rootdse operational attributes imediatly after having installed
a fresh openldap2.4 distribution without editing files ?

more simple : How you define or change the rootpw still without
editing files ?

---
Olivier


On Wed, Apr 20, 2011 at 10:38 PM, Howard Chu <hyc@symas.com> wrote:
> Jose Ildefonso Camargo Tolosa wrote:
>>
>> Resending on-list.
>
>> Well, I actually got used to cn=config pretty quickly, nevertheless, I
>> still find easier to understand and modify the slapd.conf file than
>> the directory structure under slapd.d... it is definitely more complex
>> (and I don't think it is easier to modify using a LDAP administration
>> tool).
>
> The directory structure under slapd.d is private/internal to slapd.
>
> Forget it is even there. As far as you're concerned, it does not even exist.
>
> The only thing you should ever look at is the LDAP DIT, whether returned by
> slapcat, ldapsearch, or your LDAP GUI browser of choice.
>
>> The "cn=config" replication suggested on the docs becomes useless when
>> you need to use TLS, because, AFAIK, we don't have a way of having
>> different TLS parameters for each replica (and, on a multi-master
>> setup, you will likely have different servers, with different names,
>> and thus: different SSL certificate).
>
> Actually no, every syncrepl directive can have its own unique set of TLS
> parameters. And anyway, usually all of the servers communicating with each
> other at a site will have the same security requirements and thus the same
> TLS parameters. The actual certificates might be different, but since they
> (currently) live in the filesystem there's no need to reflect that
> difference in the slapd configuration. E.g., every server can point to
> "/etc/ssl/my-server-cert.pem" and that file can be unique to each server.
>
> --
>  -- Howard Chu
>  CTO, Symas Corp.           http://www.symas.com
>  Director, Highland Sun     http://highlandsun.com/hyc/
>  Chief Architect, OpenLDAP  http://www.openldap.org/project/
>
>