[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Securing cn=config and allowing micro-engineering



Nick Milas wrote:
On 20/10/2011 9:03 ÎÎ, Quanah Gibson-Mount wrote:

slapcat -n0 -F old/slapd.d>  config.ldif
edit config.ldif
slapadd -n0 -F new/slapd.d -l config.ldif
test using new/slapd.d
deploy...


I would note that OpenLDAP 2.5 (when released) adds a "slapmodify"
command per my request. It allows you to do offline modifications of
cn=config in a way similar to ldapmodify. This will also keep the CRC
checksum intact.

slapmodify will surely be an important addition. (Although v2.5 might
not be that close.)

Question:

Can we use:

     slapadd -n0 -F new/slapd.d -l config.ldif

while slapd is running?

Documentation states: Your slapd should not be running when you do this
(i.e. when using slapadd) to ensure consistency of the database...
But this command does not really interfere with the current database
(which is in old/slapd.d). So please clarify.

That note is only referring to use of slapadd to add data to a database that slapd is already using. If you're using totally separate filesystem directories, then of course you can slapadd to a config directory different from the one that slapd is currently running. It's not like there's a magical filesystem lock such that slapd knows about everything else occurring on the machine or filesystem. Use some common sense.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/