If you have an existing slapd.conf you can simply let slapd convert it to a cn=config database for you.

Howard Chu <hyc(a)symas.com&gt; wrote: > If you have an existing slapd.conf you can simply let slapd convert it to a > cn=config database for you. That's the -F flag, but how does it works? I made little attemps, without much success. As I understand, schema replication won't work with syncrepl on 2.3.x, right?

Gavin Henry wrote: > Emmanuel Dreyfus wrote: >> Howard Chu <hyc(a)symas.com&gt; wrote: >> >>> If you have an existing slapd.conf you can simply let slapd convert >>> it to a >>> cn=config database for you. >> That's the -F flag, but how does it works? I made little attemps, >> without much success. >> >> As I understand, schema replication won't work with syncrepl on 2.3.x, >> right? >> > > There's a new man page in 2.4 (slapd-config), but basically: > > "Alternatively, an existing slapd.conf file can be converted to the new > format using slapd or any of the slap tools: > slaptest -f /usr/local/etc/openldap/slapd.conf -F > ETCDIR/slapd." Note that this feature was already documented in the existing slapd/slapadd/slap* manpages in 2.3. It's a shame that we go to the trouble of writing these docs that nobody actually reads.

Note that this feature was already documented in the existing slapd/slapadd/slap* manpages in 2.3. It's a shame that we go to the trouble of writing these docs that nobody actually reads.

Emmanuel Dreyfus wrote: > Howard Chu <hyc(a)symas.com&gt; wrote: > >> Note that this feature was already documented in the existing >> slapd/slapadd/slap* manpages in 2.3. It's a shame that we go to the trouble of >> writing these docs that nobody actually reads. > And it's a sad that project leaders immediatly assume users are just > unwilling to read the docs, rather than wondering if the docs need > improvement. We know they do, and we are. There's no wondering involved ;-)

People... I have a idea about OpenLDAP documentation. There´s a good documentation at OpenLDAP website. Why not create more efforts to create a Howto series? I´m writing constantlty a howto week´s about basic OpenLDAP features, like some integrations and hints. We can create something like a wiki, using the OpenLDAP documentation and "translate" this things to Howto´s. Horward, we can help your efforts? Thanks for your good work. Cheers.

howto. I think a great howto would be one that expands on this: http:// mattfleming.com/node/190 except going into much more detail outlining every step necessary for it to work.

> howto. I think a great howto would be one that expands on this: http:// > mattfleming.com/node/190 except going into much more detail outlining every > step necessary for it to work. Documents such as the one you mention are, apart from quite good-looking, rather useless to the world at whole; papers that start off with `apt-get ...', are useless as they supply information to only a small portion of users, and what is worse, information that quickly is outdated, or incorrect to start with. Furthermore, most people simply "write-and-forget", meaning they never come back to update their "howtos" for a next version of the respective software. I tell people, "If you want howtos, buy Windows".

Gavin's suggestion to augment the Admin Guide with real-world configuration examples can only be applauded. Examples of ACL, grouping, etc. with descriptions would greatly enhance the value of the OpenLDAP documentation.

Thanks Gavin for your answer. I appreciate this.

Yes, sounds like a good plan. The Admin Guide is a excelent start to the wiki. On next months, if a have a good howto´s to the wiki, where I can install wiki and leave the howto´s? There´s a possibility to have private wiki with contributors at openldap.org <http://openldap.org>? Something like http://wiki.openldap.org?

I´m in the end of howto about schema anatomy.

And finally, how I can help you Gavin with Admin Guide?

> I've often thought about this, as Samba do similar at: > http://wiki.samba.org/index.php/Main_Page as do other major OSS projects. But, then if we look at a page relevant to *this* project, you get something like: http://wiki.samba.org/index.php/Samba_%26_LDAP#Setting_up_PAM_and_NSS_to_... Which is incomplete, misleading, and wrong on all distributions but SUSE. Or, you follow links on some of the other resources that have been posted in this thread, and you get something like this: http://fedoranews.org/mediawiki/index.php/How_to_setup_and_maintain_OpenL... or this part: http://fedoranews.org/mediawiki/index.php/How_to_setup_and_maintain_OpenL... And, they missed the usual advice of editing migrate_common.ph (instead of the easier method of setting the LDAP_BASEDN environment variable), by only using the dc=example,dc=com example, thus ensuring all other users will be confused later: http://fedoranews.org/mediawiki/index.php/How_to_setup_and_maintain_OpenL...

> Here are the issues with your appreciated suggestions: > > 1. The OpenLDAP project do not support 3rd Party software While I don't have a problem with this, the question is why should this prevent OpenLDAP project documentation (with suitable disclaimers) from covering how to allow OpenLDAP to support other LDAP client software.

For example, the only documentation available for configuring Solaris for using LDAP for user/group accounts assumes you use JES LDAP. Sun certainly isn't going to write any, and I would like to put the details somewhere before I forget them.

Is our only option something like http://scratchpad.wikia.com/wiki/Ldap

> 2. We have to find the time to mentor and verify the howto/wiki > contributors. Are you saying I need mentorship and verification?

> 3. We have to find the time to fight the wiki spam Not if you limit contributions to authenticated users. And there is the LDAP authentication plugin for mediawiki ...

> 4. We have to find the time to keep the howtos updated As the scratchpad wiki proves, I don't have *much* time ... but if a few people can spare a small amount of time, it may be viable.

> 5. Resources, lack of resources, need more resources. > 6. etc..... > > *My* first and foremost priority is to finish the Admin Guide, keep it > accurate and up to date. > > I think, as we have done all along, we leave the 3rd party integration > to the 3rd party projects (like the wiki mentioned above). Which obviously isn't doing such a great job. And, why should we leave it to Samba to document how to set up nss_ldap and OpenLDAP optimally? Or, is this an area nss_ldap should cover (including the indexes, ACLs etc. that should be configured on the server side)?

> What we don't > want is a wiki where people come along and start posting How tos that we > don't have time to vet, which in turn starts to dilute the OpenLDAP > quality brand and take our time away with the little resources we have. It may be better than having hundreds of howtos out there in random places of much worse quality, leaving the impression that the OpenLDAP project prefers this to one authoritative place, where at least contributors or experts can correct mistakes (which we can't do for all the broken howtos).

> However, what is *vital* is that we provide a means to put the Admin > Guide sections into working configuration examples (which some sections > have/will have). This could mean real world deployment examples etc. But, if we can't cover nss_ldap, Solaris ldapclient, sudo, proftpd,bind, dhcpd, autofs, samba,apache-mod_vhost_ldap, freeradius, kmail, evolution, thunderbird (all of which I have used with OpenLDAP), what do we cover (that isn't covered in man pages)?

> It's all very good having in depth guides, but sometimes it's better to > get something running and come back to the main docs. The vessel in > which we present these complete examples is irrelevant and can be > decided at any point. > > So, coming back to your wonderful offer of help. If you would like to > look at the latest docs in our source repo and pick up a > section/subsection that appeals to you, we can move towards a complete > and detailed OpenLDAP 2.4 Admin Guide and then do the wiki/howto stuff. > > Does that sound like a plan? IMHO, it is more important to have concise, clear, documentation on getting the basics most people need to get started with (before they can justify spending more time to learn the ins and outs of all the features) with the most gain for the least effort, than documenting all the overlays, or the backends that are not used frequently.

For example, we have nothing to offer to compete with: http://directory.fedoraproject.org/ http://directory.fedoraproject.org/wiki/Howto:MigrateToLDAP http://directory.fedoraproject.org/wiki/Howto:OpenLDAPMigration http://directory.fedoraproject.org/wiki/Howto:Posix http://directory.fedoraproject.org/wiki/Howto:PAM http://directory.fedoraproject.org/wiki/Howto:Netgroups http://directory.fedoraproject.org/wiki/Howto:SolarisClient http://directory.fedoraproject.org/wiki/Howto:Automount http://directory.fedoraproject.org/wiki/Howto:Samba So, from a "what can I do with this software before I decide which one" perspective, OpenLDAP will be at a disadvantage while we are prevented from mentioning anything besides OpenLDAP.

> >> I've often thought about this, as Samba do similar at: > >> http://wiki.samba.org/index.php/Main_Page as do other major OSS projects. > > But, then if we look at a page relevant to *this* project, you get something > > like: > > http://wiki.samba.org/index.php/Samba_%26_LDAP#Setting_up_PAM_and_NSS_to_... > > Which is incomplete, misleading, and wrong on all distributions but SUSE. > > Or, you follow links on some of the other resources that have been posted in > > this thread, and you get something like this: > > http://fedoranews.org/mediawiki/index.php/How_to_setup_and_maintain_OpenL... > > or this part: > > http://fedoranews.org/mediawiki/index.php/How_to_setup_and_maintain_OpenL... > > And, they missed the usual advice of editing migrate_common.ph (instead of the > > easier method of setting the LDAP_BASEDN environment variable), by only using > > the dc=example,dc=com example, thus ensuring all other users will be confused > > later: > > http://fedoranews.org/mediawiki/index.php/How_to_setup_and_maintain_OpenL... The date on the aforementioned page is also "2005-10-25", so it is pretty darn old. I've got no problem with people publishing anything they want, but it is also reasonable to expect people [users, certainly administrators] to pay attention to things like published date. I have an owner's manual for my 1919 Model-T Ford, but I don't expect it to be helpful in fixing my 2007 Ford Mustang. If a reader ignores the fact that a document is stale it is no ones fault but the readers, and if they complain about it they should be dope slapped. > Appreciated comments, but these projects *never* come to us and ask us > to review anything. Are we expected to spend all our time reviewing and > editing others work? Nope. > >> Here are the issues with your appreciated suggestions: > >> 1. The OpenLDAP project do not support 3rd Party software > > While I don't have a problem with this, the question is why should this > > prevent OpenLDAP project documentation (with suitable disclaimers) from > > covering how to allow OpenLDAP to support other LDAP client software. > But how many times do we need to cover it? No matter what client or > software using a Directory, it's always the same; custom schema (give or > take), relevant indexes and ACLs etc. Another client, another day. Exactly. If you understand LDAP *AND* the service you are configuring (Samba, NSS, PAM, RADIUS, etc...) then *MOST* stuff is pretty obvious and even drearily redundant after awhile. What I see is that allot of people want to skip one or both sides of the equation - if they want to do that they should hire a consultant. > > For > > example, the only documentation available for configuring Solaris for using > > LDAP for user/group accounts assumes you use JES LDAP. Sun certainly isn't > > going to write any, and I would like to put the details somewhere before I > > forget them. > But isn't that the duty of the authors of said software that provide > this functionality. Yes. > >> 3. We have to find the time to fight the wiki spam > > Not if you limit contributions to authenticated users. And there is the LDAP > > authentication plugin for mediawiki ... > Yes, we could do invite only or get a new contributor to justify their > addition. But again, we have a great FAQ system for this. Ditto, there is a FAQ. > >> 4. We have to find the time to keep the howtos updated > > As the scratchpad wiki proves, I don't have *much* time ... but if a few > > people can spare a small amount of time, it may be viable. > We all seem to think we don't have a system in place for this, namely > the FAQ. I've only mentioned a wiki, as people are talking about it. > We've had the FAQ for years and years now, but people are still shy. Maybe if we just rename the FAQ and call it a Wiki then people will be happy? :) > >> 5. Resources, lack of resources, need more resources. > >> 6. etc..... > >> *My* first and foremost priority is to finish the Admin Guide, keep it > >> accurate and up to date. > >> I think, as we have done all along, we leave the 3rd party integration > >> to the 3rd party projects (like the wiki mentioned above). > > Which obviously isn't doing such a great job. It has worked for me any many others. I've migrated almost all our services to use OpenLDAP. > > Or, is this > > an area nss_ldap should cover (including the indexes, ACLs etc. that should > > be configured on the server side)? Yes, it is. > >> What we don't > >> want is a wiki where people come along and start posting How tos that we > >> don't have time to vet, which in turn starts to dilute the OpenLDAP > >> quality brand and take our time away with the little resources we have. > > It may be better than having hundreds of howtos out there in random places of > > much worse quality, leaving the impression that the OpenLDAP project prefers > > this to one authoritative place, where at least contributors or experts can > > correct mistakes (which we can't do for all the broken howtos). What i don't understand is that (a) there is an official place for Samba documentation (b) there is an official place for PAM documentation (c) there is an official place for NSS documentation (d) there is an official place for ISC Bind documentation (e) there is an official place for ISC DHCPd documentation (f) there is an official place for Cyrus IMAPd documentation........... so what is the problem? Either (1) the user chose not to look in the official place or (2) the project chose not to provide documentation related to LDAP. #1 is the user's problem and for #2 the user should contact that project, not complain to their DSA "vendor". If the user chose to look in "random places" they must expect documentation of "random" quality. > >> It's all very good having in depth guides, but sometimes it's better to > >> get something running and come back to the main docs. Disagree; that is just a sloppy approach to system administration. -- Adam Tauno Williams, Network & Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org

--On Friday, September 21, 2007 1:27 PM -0300 Gabriel Stein <gabrielstein(a)gmail.com&gt; wrote: > I´m really apreciatte the answers of OpenLDAP Team, and my focus now is > contribute to Admin Guide with Gavin. But, I have some comments about > this question: why not put links about ISC DHCP Integration, Samba > Integration... etc.? Just put something on final of FAQ and Admin Guide, > like "If you need integrate OpenLDAP with this services, just follow > this links".

As long as they were only toplevel links, i.e. http://www.samba.org/ Since deeper links can (and often do) change.

>>> I've often thought about this, as Samba do similar at: >>> http://wiki.samba.org/index.php/Main_Page as do other major OSS projects. >> But, then if we look at a page relevant to *this* project, you get something >> like: >> http://wiki.samba.org/index.php/Samba_%26_LDAP#Setting_up_PAM_and_NSS_to_... >> Which is incomplete, misleading, and wrong on all distributions but SUSE. >> Or, you follow links on some of the other resources that have been posted in >> this thread, and you get something like this: >> http://fedoranews.org/mediawiki/index.php/How_to_setup_and_maintain_OpenL... >> or this part: >> http://fedoranews.org/mediawiki/index.php/How_to_setup_and_maintain_OpenL... >> And, they missed the usual advice of editing migrate_common.ph (instead of the >> easier method of setting the LDAP_BASEDN environment variable), by only using >> the dc=example,dc=com example, thus ensuring all other users will be confused >> later: >> http://fedoranews.org/mediawiki/index.php/How_to_setup_and_maintain_OpenL... The date on the aforementioned page is also "2005-10-25", so it is pretty darn old. I've got no problem with people publishing anything they want, but it is also reasonable to expect people [users, certainly administrators] to pay attention to things like published date. I have an owner's manual for my 1919 Model-T Ford, but I don't expect it to be helpful in fixing my 2007 Ford Mustang. If a reader ignores the fact that a document is stale it is no ones fault but the readers, and if they complain about it they should be dope slapped. > Appreciated comments, but these projects *never* come to us and ask us > to review anything. Are we expected to spend all our time reviewing and > editing others work? Nope. >>> Here are the issues with your appreciated suggestions: >>> 1. The OpenLDAP project do not support 3rd Party software >> While I don't have a problem with this, the question is why should this >> prevent OpenLDAP project documentation (with suitable disclaimers) from >> covering how to allow OpenLDAP to support other LDAP client software. > But how many times do we need to cover it? No matter what client or > software using a Directory, it's always the same; custom schema (give or > take), relevant indexes and ACLs etc. Another client, another day. Exactly. If you understand LDAP *AND* the service you are configuring (Samba, NSS, PAM, RADIUS, etc...) then *MOST* stuff is pretty obvious and even drearily redundant after awhile. What I see is that allot of people want to skip one or both sides of the equation - if they want to do that they should hire a consultant. > > For >> example, the only documentation available for configuring Solaris for using >> LDAP for user/group accounts assumes you use JES LDAP. Sun certainly isn't >> going to write any, and I would like to put the details somewhere before I >> forget them. > But isn't that the duty of the authors of said software that provide > this functionality. Yes. >>> 3. We have to find the time to fight the wiki spam >> Not if you limit contributions to authenticated users. And there is the LDAP >> authentication plugin for mediawiki ... > Yes, we could do invite only or get a new contributor to justify their > addition. But again, we have a great FAQ system for this. Ditto, there is a FAQ. >>> 4. We have to find the time to keep the howtos updated >> As the scratchpad wiki proves, I don't have *much* time ... but if a few >> people can spare a small amount of time, it may be viable. > We all seem to think we don't have a system in place for this, namely > the FAQ. I've only mentioned a wiki, as people are talking about it. > We've had the FAQ for years and years now, but people are still shy. Maybe if we just rename the FAQ and call it a Wiki then people will be happy? :) >>> 5. Resources, lack of resources, need more resources. >>> 6. etc..... >>> *My* first and foremost priority is to finish the Admin Guide, keep it >>> accurate and up to date. >>> I think, as we have done all along, we leave the 3rd party integration >>> to the 3rd party projects (like the wiki mentioned above). >> Which obviously isn't doing such a great job. It has worked for me any many others. I've migrated almost all our services to use OpenLDAP. >> Or, is this >> an area nss_ldap should cover (including the indexes, ACLs etc. that should >> be configured on the server side)? Yes, it is. >>> What we don't >>> want is a wiki where people come along and start posting How tos that we >>> don't have time to vet, which in turn starts to dilute the OpenLDAP >>> quality brand and take our time away with the little resources we have. >> It may be better than having hundreds of howtos out there in random places of >> much worse quality, leaving the impression that the OpenLDAP project prefers >> this to one authoritative place, where at least contributors or experts can >> correct mistakes (which we can't do for all the broken howtos). What i don't understand is that (a) there is an official place for Samba documentation (b) there is an official place for PAM documentation (c) there is an official place for NSS documentation (d) there is an official place for ISC Bind documentation (e) there is an official place for ISC DHCPd documentation (f) there is an official place for Cyrus IMAPd documentation........... so what is the problem? Either (1) the user chose not to look in the official place or (2) the project chose not to provide documentation related to LDAP. #1 is the user's problem and for #2 the user should contact that project, not complain to their DSA "vendor". If the user chose to look in "random places" they must expect documentation of "random" quality. >>> It's all very good having in depth guides, but sometimes it's better to >>> get something running and come back to the main docs. Disagree; that is just a sloppy approach to system administration.

Buchan Milne wrote: > So, from a "what can I do with this software before I decide which one" > perspective, OpenLDAP will be at a disadvantage while we are prevented > from mentioning anything besides OpenLDAP. Nobody is preventing you from contributing docs about integrating with other systems to the FAQ-o-Matic. It would probably have taken you less time to write a useful page there than it took to compose that email.

Gavin Henry wrote: > Gabriel Stein wrote: >> We can >> create something like a wiki, using the OpenLDAP documentation and >> "translate" this things to Howto´s. > I've often thought about this, as Samba do similar at: > http://wiki.samba.org/index.php/Main_Page as do other major OSS projects. > > Here are the issues with your appreciated suggestions: I'm also tired of this yet-another-wiki-will-improve-documentation approach. Why? Because Wikis have to be filled with content by skilled people who have some spare time left. If they are able and willing to do the work (like fortunately Gavin does) they sure are able to give input without the need for a particular media. There are so many Wikis out there without any real content...

BTW: "Customers" want to have "official" looking docs => IMO the Admin Guide is the most suitable media to work with.

Ciao, Michael.

I'd love to also see, "It would be really helpful if x, y and x was covered".

So, for those of you using sets - why are they useful to you, and in what ways are they still too limited? I personally am concerned that they are too expensive to evaluate; if we could provide similar features using a less general model that would be worth exploring too.

--On Thursday, September 20, 2007 6:37 PM -0700 Russ Allbery <rra(a)stanford.edu&gt; wrote: > Howard Chu <hyc(a)symas.com&gt; writes: > >> So, for those of you using sets - why are they useful to you, and in what >> ways are they still too limited? I personally am concerned that they are >> too expensive to evaluate; if we could provide similar features using a >> less general model that would be worth exploring too. > I inherited this setup, so I don't know how useful it is or if there are > better ways of expressing the same thing, but we use it for: > > access to dn.children="cn=people,dc=stanford,dc=edu" > by set.exact="this/uid & user/uid" sasl_ssf=56 read This allows users who bind to the server to read their person entry when their binding user id matches the user id in the people tree.

> access to dn.children="cn=nis,dc=stanford,dc=edu" > by set.exact="this/host & user" sasl_ssf=56 read This was an experimental ACL for doing host based restrictions of user logins. It currently will never be used since this was never deployed. Still a cool idea though, I think. ;)

> access to dn.children="cn=accounts,dc=stanford,dc=edu" > by set.exact="this/uid & user/uid" sasl_ssf=56 read > by * break This allows users who bind to the server to read their account entry when their binding user id matches the user id in the entry in the account tree.

Basically, the first and third acls allow Stanford users to have full read on their own data, but keeps the restrictions in place on all other peoples data in both trees.

> Don't users just bind using account entries anyway? Isn't this the same > as "by self read" ? Or you're saying that there can be multiple accounts > with the same uid? There aren't, so I think you're right.

This is a concrete case of improvement: "slapd should not be silent on EACCES (or others)."

Use slaptest instead.

Emmanuel Dreyfus wrote: > Howard Chu <hyc(a)symas.com&gt; wrote: > >> Use slaptest instead. > Oh, right, I missed that one. Perhaps this is the missing piece in the > docs? It's not obvious how to explain it, though. I'm not sure the > sentence below is satisfying. > > -F slapd-config-directory > Specifies the slapd configuration directory. The > default is /usr/pkg/share/examples/openldap/slapd.d. If > both -f and -F are specified, the config file will be read > and converted to config directory format and written > to the specified directory before slapd starts regular > operations. slaptest(8) can also be used to just perform > the conversion. in slapd(8) in HEAD, the last sentence does say:

"All of the slap tools that use the config options observe this same behavior."

So that would imply slaptest. But maybe something clearer should be said? If you'd like to file an ITS, that would be best to track this. > Alternatively, perhaps it's the admin guide that should suggest running > slaptest -f -F in order to build the cn=config tree from slapd.conf? It > does not seem to contain the upgrade procedure at all. > I've added a placeholder to the cn=config section in the Guide, for me to fill out later: "Converting from slapd.conf(8) to a cn=config directory format"

Howard Chu wrote: Gavin Henry wrote: > Emmanuel Dreyfus wrote: >> Howard Chu <hyc(a)symas.com&gt; wrote: >> >>> Use slaptest instead. >> Oh, right, I missed that one. Perhaps this is the missing piece in the >> docs? It's not obvious how to explain it, though. I'm not sure the >> sentence below is satisfying. >> >> -F slapd-config-directory >> Specifies the slapd configuration directory. The >> default is /usr/pkg/share/examples/openldap/slapd.d. If >> both -f and -F are specified, the config file will be

>> and converted to config directory format and written >> to the specified directory before slapd starts regular >> operations. slaptest(8) can also be used to just perform >> the conversion. > > in slapd(8) in HEAD, the last sentence does say: > "All of the slap tools that use the config options observe this same > behavior." Not just in HEAD. That text has been there since May/June 2005, 2.3

OK. Well, there's no excuse for people missing it then. A bit of thought would lead them to slaptest. Or do we have to actually say slaptest. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/

Thanks for that, but we have to assume some background knowledge ;-)

Emmanuel Dreyfus <manu(a)netbsd.org&gt; wrote: >> Thanks for that, but we have to assume some background knowledge ;-) > Then the amount of Hem, that one was sent too early :-) What is the amount of assumed knowledge? It would be fair to tell what are the requirement for reading the doc and where they can be acquired...

Emmanuel Dreyfus <manu(a)netbsd.org&gt; wrote: > > Thanks for that, but we have to assume some background knowledge ;-) > Then the amount of Hem, that one was sent too early :-) What is the amount of assumed knowledge? It would be fair to tell what are the requirement for reading the doc and where they can be acquired... -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

Emmanuel Dreyfus wrote: > Aaron Richton <richton(a)nbcs.rutgers.edu&gt; wrote: >> This is a concrete case of improvement: "slapd should not be silent on >> EACCES (or others)." > > Well, it's not silent: it sends an error to the logs.

> The oddity here is that there are two functionalities blent into the > same program: the LDAP server and the slapd.conf to slapd.d converter. > Moreover, it seems the latter cannot be used without launching the > former. Use slaptest instead.

Buchan Milne wrote: > On Friday 21 September 2007 06:07:47 Howard Chu wrote: >> Use slaptest instead. > > except that slaptest doesn't have a "run as another user" flag, and -u is > already taken :-(. Nor do the tools need such an option; you can just use su. The reason slapd can't be started with just "su ldap" is because it may need root privs to open the listener sockets. That's the only reason it has -u/-g options.

> At present, it seems that if you want to do the conversion while slapd is > running, and for a slapd that runs as non-root, something like this is > the best option: > > # slapd -u ldap -g ldap -d none -h > ldap://localhost:391/ -f /etc/openldap/slapd.conf -F > /etc/openldap/slapd.d > > As then > -The configuration will be converted > -slapd won't start up What makes you say that?

> -you will see any relevant errors > -all the files will be owned by the ldap user/group > -if it succeeds, a restart of slapd is all that is necessary to continue That seems like far more trouble than just using su...

You're assuming a back-bdb/hdb database. Not everyone uses them. There are quite a large number of installations using just back-ldap/meta etc... The slaptest invocation will always work.