Tony,
Updates to your configuration made by LDAP updates CAN be persistent. If you start slapd with the -F option, slapd will create a configuration directory, converting your current slapd.conf into a permanent directory in slapd.d. If you continue to use the -F option on restart, any configuration changes from prior sessions will be still in force.
I agree that reordering olcAccess isn't easy. I keep an ldapmodify LDIF file with just a changetype replace for that one attribute. Don't put the sequence numbers and curly braces into the LDIF, OpenLDAP will assign those sequence numbers itself. Replacing all the values like this will get them in the order you want. If you have a lot of ACLs, you may want to dump them with ldapsearch first and convert the LDIF output for the replace operation.
Tony Earnshaw wrote:
Howard Chu wrote:
[...]
I'd guess that the passage you quote (and it _is_ correct) was written for a future version of OpenLDAP. For us, simply being able to change olcLogLevel on the fly with gq's 'point 'n click' has been one huge godsend.
Where are you getting this "one or two" stuff? Everything can be set dynamically. All means all.
Ok, it can all be changed. For cn=config I often use GQ, since that's a handy tool, to change olcLogLevel on running servers. But changing the order of olc Access, for example, isn't easily accomplished (this has been discussed before) and all on the fly changes are lost the next time the daemon is restarted (assuming a valid slapd.conf and other included conf files). I should have written that it's not a practical solution at the moment.
The original poster obviously missed the point that the *LDAP* configuration engine is driven by *LDAP*. I.e., changes are accomplished using ldapmodify, not by editing any files.
Possibly, he didn't make that clear.
--Tonni