Michael, hello.
On 5 Apr 2022, at 16:01, Michael Ströder wrote:
On 4/5/22 08:10, David Timber wrote:
I know how to import schemas with cn=config. That was never a question. I was just complaining because it's a tedious process and I believe that it shouldn't be like this.
I also think that cn=config should not be so complicated. And I've looked into supporting this schema in web2ldap.
Can you say a little more about how slapd.d is complicated? I ask because I've never used slapd.conf, and I'm worried I'm missing something, or that there's an interestingly different perspective on how to configure openldap, which I could usefully learn about.
If I want to set up a new (testing?) instance, or test a tweaked configuration, then I blow away any pre-existing slapd.d, slapadd slapd.ldif, upload a dump of the live database (which takes a few seconds with -q), start slapd, and off we go.
All of the configuration is in that single slapd.ldif file. I might occasionally make live tweaks to the configuration with ldapmodify, but after testing I would freeze them in the version-controlled slapd.ldif.
I can see that there's a way of working where the 'live' cn=config tree is the source of truth, and one backs that up carefully, but that doesn't seem an entirely comfortable way of working, to me. And I can see that if there were a very high volume of writes, then the few seconds of primary-server downtime here could become intricate. But if one had a setup like that, then presumably one has a multi-master configuration, so that the primaries could have their configurations updated from a single slapd.ldif in rotation.
For now I'm just happy that static slapd.conf is still supported. It's still the most DevOps-friendly way to configure OpenLDAP.
I'm not really sure what devops-friendly means here. I think my problem -- the source of my puzzlement -- is that I can't see much significant difference between slapd.conf and slapd.ldif other than details of the syntax (which to my eyes is less weird in the latter case than the former).
Or: what would I be losing if support for slapd.conf disappeared tomorrow?
Best wishes,
Norman