[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?

To: openldap-technical@openldap.org
Subject: Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
From: harry.jede@arcor.de
Date: Sat, 8 Feb 2014 15:31:17 +0100
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=arcor.de; s=mail-in; t=1391869878; bh=24Jt8QqXLUYXvyqesNKHXtdbWkdStoHxcudzZpDbIi8=; h=From:To:Subject:Date:References:In-Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Message-Id; b=H6dorgPnVTNR4OqpWOB9J032v4/i6h5iP7bmGd5oWkjE7+alDu9vrwuC7VnfT+qE/ NIf82rPSF85SGdYmb+RwFzV9uq4tvHRDfRTIbys/IK8YPeSSqaBoOlZf37urW3T7OI A1EBYff1h7a06pxcXWBAYsK3IT+q1971NixonBm8=
In-reply-to: <52F61E01.901@symas.com>
References: <CAPcb_GK5B=-PzNuxY8wNkh+n-FRhnv0snDAcLYxjqhun1H97Bw@mail.gmail.com> <201402080852.35924.harry.jede@arcor.de> <52F61E01.901@symas.com>
User-agent: KMail/1.13.7 (Linux/3.2.0-4-amd64; KDE/4.8.4; x86_64; ; )

Howard Chu wrote:
> harry.jede@arcor.de wrote:
> > #!/bin/sed -rf
> > # Author: Harry Jede
> > # produce human readable but still machine parseable
> > # olcAccess lines and removes the ordering numbers in {}
> > # because humans don't need them, really.
> 
> Nice formatting, but just a note - the ordering prefixes are there to
> allow you to insert new ACLs in the precise spot where they belong.
> So in fact, human or machine, they are necessary. We wouldn't throw
> things in there for no reason.
I know this. The reason why you have created the ordering prefixes is 
that without them the ordering is *not* always the same during multiple 
searches.

> 
> Otherwise, to insert one rule in front of existing rules, you would
> need to delete and reinsert all of the rules.
Dacor.
For documenting, comparing, testing or creating access to new databases 
I found that this is my favorite approach.

And during some support sessions by customers I found that one of the 
common failures during access design, is that customers failed to order 
the "to clause" of access rules. In such cases I retrieve the access 
rules, reorder them with an editor, and upload all at once wih 
ldapmodify. And yes, slapd adds the ordering prefixes in line order of 
the ldif file. Magic and cool.

If I need to modify or add single rules, i still use the script to 
retrieve, but without the olcacces line. Now I can create ldifs for 
ldapmodify with ordering prefix. The "by clauses" are one at a line. 
That's better for my eys.

# cat $(which fmt_olcAccess2)
#!/bin/sed -rf
# Author: Harry Jede
# produce human readable but still machine parseable
# olcAccess lines
# the hole script
$!{H;d}
${H;g;s/\n //g;s/[[:space:]]+by /\n  by /g}

the output is now with prefixes.

-- 

Harry Jede

References:
- Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
  - From: harry.jede@arcor.de
- Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: SASL DIGEST-MD5 works but PLAIN/LOGIN fails
Next by Date: rwm-rewriteMap for bindDN and slapo-ppolicy
Index(es):
- Chronological
- Thread