Wolfgang Hennerbichler wrote:
Hi,
I switched to the new ldif-config-style today. I would have 3 questions:
- slapd converted my slapd.conf to ldif files successfully, I could
look at the cn=config hierachy - pretty cool. Nevertheless I can't write into it. I defined:
olcRootDN: "cn=admin,cn=config" olcRootPW: "{SSHA}..." olcAccess: {5}to * by dn.base="cn=admin,cn=config" write
in olcDatabase={0}config.ldif. Is it possible to write there?
The fact that the config is stored in LDIF is only incidental. cn=config is an LDAP database, and in order for changes to take effect during runtime they must be made using LDAP operations (e.g. ldapmodify). If you edit the LDIF files manually, you have to restart the server to make it read them.
In general, once the slapd.conf file has been converted to LDIF, you should never manually edit the configuration ever again. Do all subsequent changes through LDAP. You should consider the underlying files to be off-limits. (Except for disaster recovery. Obviously if somehow your server gets completely trashed, it's important to have a human-readable configuration. It is possible that in future versions we'll use a binary database for the config, but not likely, because of this recovery aspect.)
By the way, the rootDN always ignores ACLs. You should not set any ACLs for the rootDN, that just wastes space (and time).
- All my schemas were converted to ldif, too. Pretty cool, I thought.
But I can't find an option to include a schema. Of course I could still include the files with olcIncludeFile, but that sucks, doesn't it?
No, olcIncludeFile is just a historical marker for include files that got converted with the old slapd.conf. It doesn't get processed after conversion has been done. To add new schemas you just ldapadd them under the cn=schema,cn=config branch. Obviously this means you must convert them to LDIF first. The process should be self-evident from looking at how the old schemas got converted. There's also an example in the Admin Guide section 5.2.4.3. http://www.openldap.org/doc/admin23/slapdconf2.html
- This is the really interesting stuff: is it possible to start a
"stupid" replication server with syncrepl, who only knows how to connect to the main server, and then syncs the schemas and parts of the config to itself? that would be cool, and I guess it can be done. Yet it's still dependend on question 1 :)
That is a desired feature, but we've explicitly disabled that in OpenLDAP 2.3. It will probably be enabled in OpenLDAP 2.4, but it requires some other enhancements to the syncrepl system before it can be done safely.