[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Can a package modify slapd.conf in its maintainer script?

On Wed, Aug 20, 2008 at 10:58:51PM -0700, Steve Langasek wrote:
> On Tue, Aug 12, 2008 at 06:07:14PM +0200, Bastian Blank wrote:
> > On Tue, Aug 12, 2008 at 12:35:30PM -0300, Steve Langasek wrote:
> > > It is possible; I'm currently awaiting feedback from the OpenLDAP
> > > comaintainers before we enable it.
> 
> > You know that parts of the config settings are only supported in the
> > legacy-format?
> 
> I've been told that there are certain (uncommon) backends that aren't
> supported by cn=config, and I'm not surprised to learn that there are some
> overlays that are unsupported as well.  Do you have a list of these that are
> of concern to you?

Not currently. I read it somewhere but as the documentation how to
configure them via cn=config is completely missing it is not easy to
find it again. Can you please first fill the gaps in the documentation
before forcing something underdocumented to everybody?

> AFAIK the components that have not yet been ported to cn=config are those of
> marginal interest, and I don't think they should block us from moving to
> only support cn=config in the package; users who prefer to stick with
> slapd.conf will be able to switch back after upgrade, at the expense of not
> getting automatic config upgrades from the package anymore.

So you convert it forth, break it during the step.

> > Is there documentation how to import new schemas in the new config tree?
> 
> They need to be provided in LDIF format.  All of the schemas included in the
> slapd package now also have .ldif versions that can be used as examples of
> how to do this.  I haven't looked for documentation, per se.

Please provide the documentation then. I have several private schemas
which I somehow need to port forward.

Does slapd support modifications to cn=Schema?

> > Also modification are only supported via the ldap
> > protocol, who say that root may authenticate at all?
> 
> We prompt for the password to use as the olcRootPW when setting up
> cn=config, and can prompt for it again when other packages need to make
> schema changes.  I don't think this should be any more problematic than
> what's currently done for integration with database packages.

Who say that there exists a password for the root DN? None of my configs
includes one, because I don't need another weak point. Which ACLs
applies to the usage of the root DN for authentication? How do you want
to reach the daemon? ldapi:///? ldap://127.0.0.1? The admin is free to
disable whatever access variant he wants.

Some other questions. The cn=config tree is located in
/etc/ldap/config.d. What happens if I modify that while the daemon is
running with an editor? What happens if I modify it with an editor and
per LDAP at the same time?

Bastian

-- 
Insufficient facts always invite danger.
		-- Spock, "Space Seed", stardate 3141.9
Reply to: