On Thu, 30 Nov 2023 at 16:06, Bastian Tweddell <b.tweddell@fz-juelich.de> wrote:

Please also note [1]:
```
The older style slapd.conf(5) file is still supported, but its use is
deprecated and support for it will be withdrawn in a future OpenLDAP
release.
```

Is this already on the roadmap when this will happen?

I really hope this never happens.

The one and only advantage I see to OLC is that you can make some changes on the fly, without restarting the server. But is this ever necessary, or even advisable in a production environment?

In production, people want LDAP servers to be perfectly stable and reliable software-as-an-appliances. They will run 10 (even 20) years this way.

Production configuration should be immutable. The configuration should not need to change from day to day within production. And even when it does, if clients are configured correctly, there is the ability to restart individual servers without impacting the entire service.

As for sync'ing cn=config, I've tried it. I don't see the advantage of it over having one configuration file (or maybe one each for providers and another for consumers) and then deploying each from source control, and controlled with file signature monitoring, for extra security.

You can have the best of both worlds by enabling the config database, but not converting to it. This "converts" your slapd.conf into the memory-based OLC which can be updated on the fly, but not persisted. To me this is the ideal, but then even still, within many of theses setups, I have never needed to use the OLC for on-the-fly-changes, so in retrospect, do not see the necessity of this.

In summary, I see great value to continuing to support the slapd.conf file-based config, especially for production, and I see a lot of risk induced by deprecating it and forcing people to use OLC.  OpenLDAP project, would you please consider to not deprecate slapd.conf?

Chris Paul | Rex Consulting | https://www.rexconsulting.net