Dameon Wagner wrote:
I really do like the idea of being able to tweak and update the configuration without needing to HUP slapd (it's a shame there's no "reload" option, in addition to "restart"),
SIGHUP is "reload". You probably refer to "restart=stop/start".
especially for things like updating ACLs that are usually considered trivial/standard changes.
In my setups ACLs changes are most times not trivial. They need a decent change management with staging and integration tests anyway.
Compared to that, having to run ldapadd/ldapmodify on all those hosts is an awkward proposition.
But that's the only way to change cn=config without stopping slapd.
Stating that slapd-config is not a flat-file system is a little unfair too, given that it's on disk in LDIF format (even if it should left alone). Our config management system can build LDIF using templating (can't they all?), the issue is running a diff against that, and the running cn=config, and applying the changes cleanly, idempotently, and atomically -- is there anything that will fill the pre-flight `slaptest` role when support for slapd.conf is removed?
1. You have to stop slapd to directly change LDIF files of cn=config.
2. According to OpenLDAP developers you must not tweak the LDIF files directly because they have checksums. The recommended way of dealing making LDIF changes to cn=config is to 1. slapcat -b cn=config, 2. make changes to LDIF, 3. stop slapd and 4. to re-import LDIF.
Note that if the config is broken for whatever reason step 1. will not work anymore leading to an operational dead-end.
3. Change config of running server is only possible via LDAP. I already though about writing an ansible module doing the idempotent diffs via LDAP. But the hard part is a roll-back or removing parts since back-config does not support delete operations in 2.4.x. IMO it's not worth the effort, also because one would have to keep a complete representation of cn=config as static file anway.
Ciao, Michael.