Ted Johnson wrote:

----- Original Message ---- From: Pierangelo Masarati ando@sys-net.it To: Ted Johnson whatawonderfulworldweliveintoo@yahoo.com Cc: OpenLDAP-software@openldap.org Sent: Sunday, October 15, 2006 5:28:09 PM Subject: Re: Slapd.d Config File

Ted Johnson wrote:

...

• Does someone out there in OpenLDAP-land have a slapd.d conf file

they could share?

Try "/usr/local/libexec/slapd -f slapd.conf -F ./slapd.d your-already-existing-empty-configuration-dir"

In my original mail I've never specified what path you were supposed to find slapd in.

Interesting. It complained there was no slapd binary.

Where your binaries are located, and what path you use is not relevant to this discussion.

Now, that worried me. I ran a search and found a binary here: /usr/local/libexec/slapd Now, since it wasn't in a bin dir, I didn't think that would work, but I didn't think it would hurt anything either, so I ran your command but with an absolute path to that binary, and violá! there were the files.

...

• Are the following still correct? pidfile /var/run/ldap/slapd.pid argsfile /var/run/ldap/slapd.args modulepath /usr/lib/openldap pam_ldap

pam_ldap has never been a valid slapd.conf directive

How does one include modules, then?

I don't understand what "pam_ldap" may have to do with slapd's modules. Also, I don't understand why you talk about modules if you don't have any idea of what they're supposed to do. Note that, unless you build slapd with module support, and you build components as modules, they will be statically built into slapd. The fact that you use statically built-in or run-time loaded modules, in any case, has nothing to do with a general discussion on using cn=config; I suggest to keep the two discussions separate.

Also, do you know of a good reference that would list all the modules with which OpenLDAP works and a description of them? Googled and got zip.

./configure --help.

...

    sasl-host ldap.2012.vi
    TLSRandFile            /dev/random
    TLSCipherSuite         HIGH:MEDIUM:+SSLv2
    TLSCertificateFile      /etc/ssl/openldap/ldap.pem
    TLSCertificateKeyFile   /etc/ssl/openldap/ldap.pem
    TLSCACertificatePath   /etc/ssl/openldap/
    TLSCACertificateFile    /etc/ssl/cacert.pem
    TLSCACertificateFile    /etc/ssl/openldap/ldap.pem
    TLSVerifyClient demand # ([never]|allow|try|demand)

a hash mark ('#') followed by text is interpreted as an argument to the command that starts the line, not as a comment (as I assume you mean it).

No. Thanks.

...

    loglevel 256
    database        bdb
    suffix        "dc=2012,dc=vi"
    rootdn        "cn=admin,dc=2012,dc=vi"
    directory    /var/lib/ldap
    index        objectClass                        eq,pres
    access: to dn.base="/var/lib/ldap" by root read

No colon (':') after "access" is allowed in the "access" access control directive

...

    database monitor

The above seems to be a collection of partially incorrect slapd.conf statements. Provided you fix what's wrong, it should be fine to generate the cn=config database following indications above. Note that you don't have to generate the cn=config database unless you intend to use it, and I suggest you don't until you understand all the implications and its general usefulness. From your message, it appears you didn't understand it yet, and you got the false perception that the traditional way of configuring slapd is no longer valid, which is absolutely not true.

Well, I was just following directions ;) ***This list*** told me to ask my beginner questions at ldap@umich.edu.

The questions you just asked are OpenLDAP specific, and in fact you got OpenLDAP specific answers (as good as mine can be, at least). I don't see how that list could have helped you thru details of very recent OpenLDAP development. I'm not saying you can't ask beginner's questions; of course they're welcome as soon as they can lead to improving your (and others') understanding of how things work. It seems to me that starting with cn=config while you don't appear to have a clear understanding of how OpenLDAP's slapd works sounds a bit too ambitious. All in all, cn=config is a __very__ new feature. My point is that there's tons of info out there about how to configure slapd via slapd.conf(5), and yet too little about how to do it using cb=config (and the most authoritative documentation for both is the Admin Guide http://www.openldap.org/doc/admin23/). So I suggest you stick with slapd.conf(5) by now; it's up to you to follow advice, though :).

*That* list recommended all sorts of material to study. And there is a __lot__ of confusion created from following these divergent suggestions. Unfortunately, the documentation on openldap.org is __very__limited__ and needs to be supplemented.

The project is open; the FAQ http://www.openldap.org/faq/data/cache/1.html is interactive, and http://www.openldap.org/devel/contributing.html details how to contribute, if you think the documentation needs to be supplemented. Saying that may sound a bit offensive to all persons that spent their spare time in writing a fair amount of documentation (> 3 MB of man pages; 16 chapters of Admin Guide; ~2000 nodes of FAQ; ...). If you can suggest specific improvements to specific portions of documentation, feel free to post them; if all you have to say is "__very__limited__", well... (silently counting to a billion...)

Maybe easy for you guys, but I live on top of a mountain in the middle of nowhere in the Dominican Republic with my trusty satellite dish...and getting books here via Amazon takes longer than you'd think and costs a fortune. So, I have to rely on what's available online...and in this case, it's been disappointing, to say the least.

All documentation on OpenLDAP.org is plain HTML or txt (man pages), so downloading it shouldn't be a big deal. Note that all the indications you got so far from me have been taken from the Admin Guide http://www.openldap.org/doc/admin23/. I don't know what documentation you read so far, but if you didn't read (and understand) the Admin Guide I strongly urge you to do so. Man pages like slapd.conf(5), slapd.access(5) and backend (and overlay) specific pages, like slapd-bdb(5) may be of help in understanding the details of each statement.

p.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------