I've had it with explaining that the suffix is the root of the database which is not the rootdn which is not the Unix user "root". Any hope of renaming rootdn and rootpw to admindn and adminpw, with rootdn/pw as backwards-compatible and eventually undocumented aliases?
At 11:50 AM 1/6/2007, Hallvard B Furuseth wrote:
I've had it with explaining that the suffix is the root of the database which is not the rootdn which is not the Unix user "root". Any hope of renaming rootdn and rootpw to admindn and adminpw, with rootdn/pw as backwards-compatible and eventually undocumented aliases?
Hack away... if you want it in 2.4, it should be done SOON.
-- Kurt
On 2:00:38 am 2007-01-10 "Kurt D. Zeilenga" Kurt@OpenLDAP.org wrote:
At 11:50 AM 1/6/2007, Hallvard B Furuseth wrote:
I've had it with explaining that the suffix is the root of the database which is not the rootdn which is not the Unix user "root". Any hope of renaming rootdn and rootpw to admindn and adminpw, with rootdn/pw as backwards-compatible and eventually undocumented
aliases?
Hack away... if you want it in 2.4, it should be done SOON.
IMO this renaming/aliasing will lead to even more confusion on the mailing lists. In this case I'd recommend to teach people rather than changing the config code.
Ciao, Michael.
Michael Ströder writes:
On 2:00:38 am 2007-01-10 "Kurt D. Zeilenga" Kurt@OpenLDAP.org wrote:
At 11:50 AM 1/6/2007, Hallvard B Furuseth wrote:
I've had it with explaining that the suffix is the root of the database which is not the rootdn which is not the Unix user "root". Any hope of renaming rootdn and rootpw to admindn and adminpw, with rootdn/pw as backwards-compatible and eventually undocumented aliases?
Hack away... if you want it in 2.4, it should be done SOON.
IMO this renaming/aliasing will lead to even more confusion on the mailing lists. In this case I'd recommend to teach people rather than changing the config code.
But with the name "rootdn", the teaching goes on forever! With a change, the confusion may some day end.
Hallvard B Furuseth wrote:
Michael Ströder writes:
On 2:00:38 am 2007-01-10 "Kurt D. Zeilenga" Kurt@OpenLDAP.org wrote:
At 11:50 AM 1/6/2007, Hallvard B Furuseth wrote:
I've had it with explaining that the suffix is the root of the database which is not the rootdn which is not the Unix user "root". Any hope of renaming rootdn and rootpw to admindn and adminpw, with rootdn/pw as backwards-compatible and eventually undocumented aliases?
Hack away... if you want it in 2.4, it should be done SOON.
IMO this renaming/aliasing will lead to even more confusion on the mailing lists. In this case I'd recommend to teach people rather than changing the config code.
But with the name "rootdn", the teaching goes on forever! With a change, the confusion may some day end.
Sorry, up to now nobody I've teached mixed Unix user root with rootdn of OpenLDAP. I think it's not such a big issue.
Ciao, Michael.
On Wed, 10 Jan 2007, "Michael Ströder" wrote:
I've had it with explaining that the suffix is the root of the database which is not the rootdn which is not the Unix user "root".
[...]
IMO this renaming/aliasing will lead to even more confusion on the mailing
I'd note that the namespace pollution is nearly impossible to avoid in any reasonable manner. *ix users might be confused that it's rootdn/rootpw. But when we make admindn/adminpw Windows users might be confused that they're not related to Windows Administrator privileges. Perhaps we could call it systemdn and confuse VMS users. Almost anything short of "rootdnThatAppliesOnlyToThisBackendAndNotToAnythingElseInYourOS" is going to require a bit of interpretation in the documentation, and it's intuitively obvious (if not always properly understood) that slapd configuration configures slapd, not *ix nor the universe at large.
A couple doc patches to reinforce that "rootdn" only applies to backends and not to any client OS would probably be better in this case. I'd be for changing it if there was some unambiguous directive that could work, but I'm not so sure that such a directive could be found; stare decisis.
Aaron Richton writes:
I've had it with explaining that the suffix is the root of the database which is not the rootdn which is not the Unix user "root".
[...]
IMO this renaming/aliasing will lead to even more confusion on the mailing
I'd note that the namespace pollution is nearly impossible to avoid in any reasonable manner. *ix users might be confused that it's rootdn/rootpw.
Note that people _also_ confuse rootdn with the suffix, since the suffix is the root of the backend's tree (and is described as that some places, though I don't remember where at the moment).
Maybe it'd help to instead describe is at the "top" of the database's LDAP tree.
But when we make admindn/adminpw Windows users might be confused that they're not related to Windows Administrator privileges. Perhaps we could call it systemdn and confuse VMS users.
ldapadmin-dn, ldapadmin-pw?
Almost anything short of "rootdnThatAppliesOnlyToThisBackendAndNotToAnythingElseInYourOS" is going to require a bit of interpretation in the documentation, and it's intuitively obvious (if not always properly understood) that slapd configuration configures slapd, not *ix nor the universe at large.
That's far from obvious to a number of LDAP beginner who just wants to set up LDAP and get it to work. The learning curve is fairy steep, so many seem to skim the doc a bit too fast.
A couple doc patches to reinforce that "rootdn" only applies to backends and not to any client OS would probably be better in this case.
I'll do something about that.
Hallvard B Furuseth wrote:
Note that people _also_ confuse rootdn with the suffix, since the suffix is the root of the backend's tree (and is described as that some places, though I don't remember where at the moment).
Maybe it'd help to instead describe is at the "top" of the database's LDAP tree.
ldapadmin-dn, ldapadmin-pw?
I realize this is in no way a "standard", but the use of certain terms has been the convention within LDAP circles for quite some time. In this case, suffix ("root"), rootdn, rootpw are not only used by OpenLDAP, but also by several other vendors, and used in the same contexts with the same meanings. My argument here is not to "do what the other guy is doing", but rather if there is something which is common across a domain why force a change and further confusion? Maintaining common concepts like this makes for easier acceptance and migration (not of the server, but of the operator).
That's far from obvious to a number of LDAP beginner who just wants to set up LDAP and get it to work. The learning curve is fairy steep, so many seem to skim the doc a bit too fast.
I agree it can be steep, but there are sufficient "howtos" and quick start guides (especially when you look at individual products) that I do not see this as being that critical of a problem. If there is confusion here on the part of a beginner, then it is either a documentation problem (possible improvement here) or something that can be quickly resolved by a few simple searches. Example: first hit off of a Google search for "openldap quickstart": http://www.openldap.org/doc/admin23/quickstart.html
If there is confusion, fix it with better documentation, including possibly tutorial or glossary updates, rather than modifying code. But then again, what do I know... probably not much.
chris btw, Hi. I've been lurking for a while and finally decided to post.
Hallvard B Furuseth wrote:
I'd note that the namespace pollution is nearly impossible to avoid in any reasonable manner. *ix users might be confused that it's rootdn/rootpw.
Note that people _also_ confuse rootdn with the suffix, since the suffix is the root of the backend's tree (and is described as that some places, though I don't remember where at the moment).
Me, I wouldn't mistake a directory manager (the fourth possibility :-) ) with neither unix nor windows admins. But "rootdn" is IMHO ambiguous for the top of tree as Hallvard said.
Changing "rootdn" to something else might leads to more confusion with existing documentation. However, "admindn" looks more handy to my eyes.
A
Adam Pordzik wrote:
Hallvard B Furuseth wrote:
I'd note that the namespace pollution is nearly impossible to avoid in any reasonable manner. *ix users might be confused that it's rootdn/rootpw.
Note that people _also_ confuse rootdn with the suffix, since the suffix is the root of the backend's tree (and is described as that some places, though I don't remember where at the moment).
Me, I wouldn't mistake a directory manager (the fourth possibility :-) ) with neither unix nor windows admins. But "rootdn" is IMHO ambiguous for the top of tree as Hallvard said.
Changing "rootdn" to something else might leads to more confusion with existing documentation. However, "admindn" looks more handy to my eyes.
To effectively disambiguate the rootdn, the new name should exactly and uniquely indicate its purpose. I'd not change it; as a second best choice, I suggest using "databaseAdminDN". The "database" clarifies it only refers to the database it's defined in.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Hallvard B Furuseth wrote:
Almost anything short of "rootdnThatAppliesOnlyToThisBackendAndNotToAnythingElseInYourOS" is going to require a bit of interpretation in the documentation, and it's intuitively obvious (if not always properly understood) that slapd configuration configures slapd, not *ix nor the universe at large.
That's far from obvious to a number of LDAP beginner who just wants to set up LDAP and get it to work. The learning curve is fairy steep, so many seem to skim the doc a bit too fast.
If they skim the docs too fast more aliases for config key-words won't help! That's an major mistake. One shouldn't try to work around this
I'm against more key-words which need more explaining. Note that there are lots of sample configs floating around. If you introduce aliases which key-words should they use? It causes more confusion than it helps.
Ciao, Michael.
-
"Michael Ströder" -
Aaron Richton -
Adam Pordzik -
Christopher R. Key -
Hallvard B Furuseth -
Kurt D. Zeilenga -
Michael Ströder
-
Pierangelo Masarati