On Wed, Nov 28, 2018 at 11:05 AM Quanah Gibson-Mount <quanah(a)symas.com>
--On Wednesday, November 28, 2018 10:16 AM -0800 Daniel Howard
># This file MUST be edited with the 'visudo' command as root.
> Perhaps this is a consideration that is already on the roadmap?
You mean like it already does? :)
head -1 cn\=config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
Quanah, (and Howard)
That is certainly a warning. It would be more easily noticed with a bit
more whitespace around it, as you find in the sudoers file. This warning is
not as helpful as the visudo warning, as it does not give the user a way to
edit the file. A wrapper script, or a link to a good document on managing
configurations, would be more useful.
For example, if I follow the advice in sudoers, and I type "visudo" then I
get to edit /etc/sudoers, with a validation before the file can go live.
This is fantastic!
If I follow the advice here, and type "ldapmodify" then I get an error
message. If I research the correct command line, then, in my experience, I
manage to import multiple conflicting configs into the system that crash
the server. I then research some more, and find that ldapmodify can not
delete the conflicting configs. I research some more, and learn that I
could just remove them from the filesystem. As I wish to be a good citizen,
I share this knowledge, and I am told that this is wrong, and I need to use
slapcat to export, delete my config files, then slapadd to import, using a
different set of flags than ldapmodify. Perhaps, you can spare a moment of
empathy to acknowledge how frustrating this must be for a user.
I appreciate your warnings, but given the cumbersome and, in my experience,
dangerous nature of managing config files through ldapmodify, I am inclined
to very carefully tweak the config files in the config directory. If,
however, there was a convenient, safe wrapper, like visudo, or a reference
to a reassuring doc that explains the right way to do things, then I would
preach the good news.
A potentially minor improvement along these lines could be a very nice
feature enhancement for OpenLDAP. Thank you for your consideration.