[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Securing cn=config and allowing micro-engineering

To: Howard Chu <hyc@symas.com>
Subject: Re: Securing cn=config and allowing micro-engineering
From: Nick Milas <nick@eurobjects.com>
Date: Thu, 20 Oct 2011 18:36:58 +0300
Cc: openldap-technical@openldap.org
In-reply-to: <4EA0050A.1090005@symas.com>
References: <4E9FF67C.5060306@eurobjects.com> <4EA0050A.1090005@symas.com>
User-agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1

On 20/10/2011 2:24 ÎÎ, Howard Chu wrote:

Where do you get this "knowledge"? From Zytrax? slaptest tests "theserver configuration" - it doesn't matter whether it is in slapd.confor slapd.d.

I checked man slaptest (e.g. here:http://www.manpagez.com/man/8/slaptest/) which is titled: "slaptest -Check the suitability of the OpenLDAP slapd.conf file"; yet (my fault; Ididn't read thoroughly) I now see that at the Description section itsays: "It opens the slapd.conf(5) configuration file or theslapd-config(5) backend..."


So, if slaptest checks slapd.d config then fine!

Manually editing slapd.d files is the surest way of causing a problemthat prevents slapd from restarting.


OK, understood!

Obvious approach:
  slapcat -n0 -F old/slapd.d > config.ldif
  edit config.ldif
  slapadd -n0 -F new/slapd.d -l config.ldif
  test using new/slapd.d
  deploy...


OK, I see. Valuable info.

Finally, there might be cases where ... someone would need to move toslapd.conf configuration
Ask your buddies at Zytrax, they seem to think so.

Hey, Howard, give me a break. I am just trying to research thewhereabouts of my new environment (after migration). I have noaffiliation with the guys at Zytrax. I just mentioned their witnessedexperience.

However, one could say that Zytrax don't mean to cause any harm; afterall, they advocate the use of openldap - although we non-experts onOpenLDAP cannot tell if there are minor or major flaws in their"documentation". Their documents probably look appealing to LDAPnewcomers because they follow a how-to attitude, which might feelespecially helpful for initial deployments.

As far as the OpenLDAP Project is concerned, conversion fromslapd.conf to slapd.d is a one-way trip. Migrate everything else forward.

That's what we want too (this is why we migrated in the first place)!cn=config is great in that it includes everything in the directory. I amsure that the OpenLDAP project team will also be adding more and more tothis fine structure (at least progressively), like support forcomments/descriptions, esp. in ACLs (my thoughts on ACL sorting andcommenting in another thread).


Thanks for your valuable time,
Nick

Follow-Ups:
- Re: Securing cn=config and allowing micro-engineering
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- Securing cn=config and allowing micro-engineering
  - From: Nick Milas <nick@eurobjects.com>
- Re: Securing cn=config and allowing micro-engineering
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Google hits for OpenLDAP (was: Securing cn=config and allowing micro-engineering)
Next by Date: Re: Google hits for OpenLDAP (was: Securing cn=config and allowing micro-engineering)
Index(es):
- Chronological
- Thread