wf@bitplan.com wrote:
on http://serverfault.com/questions/73213/how-do-i-configure-reverse-group-memb...
one can see how the issue hit us. We have a Suse 11.2 machine where the standard openldap configuration is slapd.conf based. On another ubuntu 10.04 machine it's cn=config based.
The memberOf function simply didn't work and there were not proper error messages and googling the issue was a pain in the ****
When we finally found out that we need an overlay no rpm was available. So we went and tried everything on the ubuntu machine.
Whatever mechanism your distro uses to package the overlays is not under our control. Whining about it here doesn't help anyone. If your distro didn't adequately document where to find the overlays, file a doc bug report with them.
But then there was this change of how everything is configured. Basically we could start googling all over again. Many hours and problems later we got the memberOf function working. What we know now is that OpenLdap has joined the list of projects that have abandondend simple configuration with a more complicated one. We've seen this with grub2, gnome and other projects. In all cases in our opinion this is not helping the majority of people using these projects. Many years of Documentation on the internet is invalidated and worse there are now two ways to do things that are incompatible and if you try to go back (as we did on ubuntu trying to get a slapd.conf based version running) it does not get any easier.
Whining about the config mechanism is pointless. The slapd.conf mechanism still works exactly the same as before. The cn=config mechanism is the way forward because our large customers demanded a way to modify the config without requiring a server restart. If you can live with restarting every time you make a config change, you can keep using OpenLDAP 2.4 the same as you always have.
Please use the contact form on BITPlan's webpage if you'd like to get our configuration script for memberOf - we won't publish it at this time since it contains user data.
I personally don't have time to go chasing hither and yon for relevant bug report data. If you can't provide a sanitized copy of the relevant details, then you're just wasting everyone's time.