11:50 a.m.
I've had it with explaining that the suffix is the root of the database
which is not the rootdn which is not the Unix user "root". Any hope of
renaming rootdn and rootpw to admindn and adminpw, with rootdn/pw as
backwards-compatible and eventually undocumented aliases?
--
Hallvard
5 p.m.
At 11:50 AM 1/6/2007, Hallvard B Furuseth wrote:
I've had it with explaining that the suffix is the root of the
database
which is not the rootdn which is not the Unix user "root". Any hope of
renaming rootdn and rootpw to admindn and adminpw, with rootdn/pw as
backwards-compatible and eventually undocumented aliases?
Hack away... if you want it in 2.4, it should be done SOON.
-- Kurt
10:52 p.m.
On 2:00:38 am 2007-01-10 "Kurt D. Zeilenga" <Kurt(a)OpenLDAP.org> wrote:
At 11:50 AM 1/6/2007, Hallvard B Furuseth wrote:
> I've had it with explaining that the suffix is the root of the
> database which is not the rootdn which is not the Unix user "root".
> Any hope of renaming rootdn and rootpw to admindn and adminpw, with
> rootdn/pw as backwards-compatible and eventually undocumented
aliases?
Hack away... if you want it in 2.4, it should be done SOON.
IMO this renaming/aliasing will lead to even more confusion on the mailing
lists. In this case I'd recommend to teach people rather than changing the
config code.
Ciao, Michael.
5:13 a.m.
Michael Ströder writes:
On 2:00:38 am 2007-01-10 "Kurt D. Zeilenga"
<Kurt(a)OpenLDAP.org> wrote:
>At 11:50 AM 1/6/2007, Hallvard B Furuseth wrote:
>> I've had it with explaining that the suffix is the root of the
>> database which is not the rootdn which is not the Unix user "root".
>> Any hope of renaming rootdn and rootpw to admindn and adminpw, with
>> rootdn/pw as backwards-compatible and eventually undocumented
>> aliases?
>
> Hack away... if you want it in 2.4, it should be done SOON.
IMO this renaming/aliasing will lead to even more confusion on the
mailing lists. In this case I'd recommend to teach people rather than
changing the config code.
But with the name "rootdn", the teaching goes on forever! With a
change, the confusion may some day end.
--
Regards,
Hallvard
12:01 p.m.
Hallvard B Furuseth wrote:
Michael Ströder writes:
>On 2:00:38 am 2007-01-10 "Kurt D. Zeilenga" <Kurt(a)OpenLDAP.org>
wrote:
>
>>At 11:50 AM 1/6/2007, Hallvard B Furuseth wrote:
>>
>>>I've had it with explaining that the suffix is the root of the
>>>database which is not the rootdn which is not the Unix user "root".
>>>Any hope of renaming rootdn and rootpw to admindn and adminpw, with
>>>rootdn/pw as backwards-compatible and eventually undocumented
>>>aliases?
>>
>>Hack away... if you want it in 2.4, it should be done SOON.
>
>IMO this renaming/aliasing will lead to even more confusion on the
>mailing lists. In this case I'd recommend to teach people rather than
>changing the config code.
But with the name "rootdn", the teaching goes on forever! With a
change, the confusion may some day end.
Sorry, up to now nobody I've teached mixed Unix user root with rootdn of
OpenLDAP. I think it's not such a big issue.
Ciao, Michael.
6:43 a.m.
On Wed, 10 Jan 2007, "Michael Ströder" wrote:
>> I've had it with explaining that the suffix is the root
of the
>> database which is not the rootdn which is not the Unix user "root".
[...]
IMO this renaming/aliasing will lead to even more confusion on the
mailing
I'd note that the namespace pollution is nearly impossible to avoid in any
reasonable manner. *ix users might be confused that it's rootdn/rootpw.
But when we make admindn/adminpw Windows users might be confused that
they're not related to Windows Administrator privileges. Perhaps we could
call it systemdn and confuse VMS users. Almost anything short of
"rootdnThatAppliesOnlyToThisBackendAndNotToAnythingElseInYourOS" is going
to require a bit of interpretation in the documentation, and it's
intuitively obvious (if not always properly understood) that slapd
configuration configures slapd, not *ix nor the universe at large.
A couple doc patches to reinforce that "rootdn" only applies to backends
and not to any client OS would probably be better in this case. I'd be for
changing it if there was some unambiguous directive that could work, but
I'm not so sure that such a directive could be found; stare decisis.
7:05 a.m.
Aaron Richton writes:
>>> I've had it with explaining that the suffix is the
root of the
>>> database which is not the rootdn which is not the Unix user
"root".
[...]
> IMO this renaming/aliasing will lead to even more confusion on the mailing
I'd note that the namespace pollution is nearly impossible to avoid in any
reasonable manner. *ix users might be confused that it's rootdn/rootpw.
Note that people _also_ confuse rootdn with the suffix, since the suffix
is the root of the backend's tree (and is described as that some places,
though I don't remember where at the moment).
Maybe it'd help to instead describe is at the "top" of the database's
LDAP tree.
But when we make admindn/adminpw Windows users might be confused
that
they're not related to Windows Administrator privileges. Perhaps we
could call it systemdn and confuse VMS users.
ldapadmin-dn, ldapadmin-pw?
Almost anything short of
"rootdnThatAppliesOnlyToThisBackendAndNotToAnythingElseInYourOS" is
going to require a bit of interpretation in the documentation, and it's
intuitively obvious (if not always properly understood) that slapd
configuration configures slapd, not *ix nor the universe at large.
That's far from obvious to a number of LDAP beginner who just wants
to set up LDAP and get it to work. The learning curve is fairy steep,
so many seem to skim the doc a bit too fast.
A couple doc patches to reinforce that "rootdn" only
applies to
backends and not to any client OS would probably be better in this
case.
I'll do something about that.
--
Regards,
Hallvard
7:59 a.m.
Hallvard B Furuseth wrote:
Note that people _also_ confuse rootdn with the suffix, since the
suffix
is the root of the backend's tree (and is described as that some places,
though I don't remember where at the moment).
Maybe it'd help to instead describe is at the "top" of the database's
LDAP tree.
ldapadmin-dn, ldapadmin-pw?
I realize this is in no way a "standard", but the use of certain terms
has been the convention within LDAP circles for quite some time. In
this case, suffix ("root"), rootdn, rootpw are not only used by
OpenLDAP, but also by several other vendors, and used in the same
contexts with the same meanings. My argument here is not to "do what
the other guy is doing", but rather if there is something which is
common across a domain why force a change and further confusion?
Maintaining common concepts like this makes for easier acceptance and
migration (not of the server, but of the operator).
That's far from obvious to a number of LDAP beginner who just
wants
to set up LDAP and get it to work. The learning curve is fairy steep,
so many seem to skim the doc a bit too fast.
I agree it can be steep, but there are sufficient "howtos" and quick
start guides (especially when you look at individual products) that I do
not see this as being that critical of a problem. If there is confusion
here on the part of a beginner, then it is either a documentation
problem (possible improvement here) or something that can be quickly
resolved by a few simple searches. Example: first hit off of a Google
search for "openldap quickstart":
http://www.openldap.org/doc/admin23/quickstart.html
If there is confusion, fix it with better documentation, including
possibly tutorial or glossary updates, rather than modifying code. But
then again, what do I know... probably not much.
chris
btw, Hi. I've been lurking for a while and finally decided to post.
8:37 a.m.
Hallvard B Furuseth wrote:
> I'd note that the namespace pollution is nearly impossible to
avoid in any
> reasonable manner. *ix users might be confused that it's rootdn/rootpw.
Note that people _also_ confuse rootdn with the suffix, since the suffix
is the root of the backend's tree (and is described as that some places,
though I don't remember where at the moment).
Me, I wouldn't mistake a directory manager (the fourth possibility :-) )
with neither unix nor windows admins. But "rootdn" is IMHO ambiguous
for the top of tree as Hallvard said.
Changing "rootdn" to something else might leads to more confusion with
existing documentation. However, "admindn" looks more handy to my eyes.
A
--
9:37 a.m.
Adam Pordzik wrote:
Hallvard B Furuseth wrote:
>> I'd note that the namespace pollution is nearly impossible to avoid
>> in any
>> reasonable manner. *ix users might be confused that it's rootdn/rootpw.
>
> Note that people _also_ confuse rootdn with the suffix, since the suffix
> is the root of the backend's tree (and is described as that some places,
> though I don't remember where at the moment).
Me, I wouldn't mistake a directory manager (the fourth possibility :-) )
with neither unix nor windows admins. But "rootdn" is IMHO ambiguous
for the top of tree as Hallvard said.
Changing "rootdn" to something else might leads to more confusion with
existing documentation. However, "admindn" looks more handy to my eyes.
To effectively disambiguate the rootdn, the new name should exactly and
uniquely indicate its purpose. I'd not change it; as a second best
choice, I suggest using "databaseAdminDN". The "database" clarifies
it
only refers to the database it's defined in.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati(a)sys-net.it
------------------------------------------
11:58 a.m.
Hallvard B Furuseth wrote:
>Almost anything short of
>"rootdnThatAppliesOnlyToThisBackendAndNotToAnythingElseInYourOS" is
>going to require a bit of interpretation in the documentation, and it's
>intuitively obvious (if not always properly understood) that slapd
>configuration configures slapd, not *ix nor the universe at large.
That's far from obvious to a number of LDAP beginner who just wants
to set up LDAP and get it to work. The learning curve is fairy steep,
so many seem to skim the doc a bit too fast.
If they skim the docs too fast more aliases for config key-words won't
help! That's an major mistake. One shouldn't try to work around this
I'm against more key-words which need more explaining. Note that there
are lots of sample configs floating around. If you introduce aliases
which key-words should they use? It causes more confusion than it helps.
Ciao, Michael.
6110
days inactive
6114
days old
10 comments
8 participants
participants (8)
-
"Michael Ströder" -
Aaron Richton -
Adam Pordzik -
Christopher R. Key -
Hallvard B Furuseth -
Kurt D. Zeilenga -
Michael Ströder
-
Pierangelo Masarati