On Wed, Nov 28, 2018 at 11:05 AM Quanah Gibson-Mount <quanah@symas.com> wrote:
--On Wednesday, November 28, 2018 10:16 AM -0800 Daniel Howard
<dannyman@toldme.com> wrote:

># This file MUST be edited with the 'visudo' command as root.
> Perhaps this is a consideration that is already on the roadmap?

You mean like it already does? :)

head -1 cn\=config.ldif

Quanah, (and Howard)

That is certainly a warning. It would be more easily noticed with a bit more whitespace around it, as you find in the sudoers file. This warning is not as helpful as the visudo warning, as it does not give the user a way to edit the file. A wrapper script, or a link to a good document on managing configurations, would be more useful.

For example, if I follow the advice in sudoers, and I type "visudo" then I get to edit /etc/sudoers, with a validation before the file can go live. This is fantastic!

If I follow the advice here, and type "ldapmodify" then I get an error message. If I research the correct command line, then, in my experience, I manage to import multiple conflicting configs into the system that crash the server. I then research some more, and find that ldapmodify can not delete the conflicting configs. I research some more, and learn that I could just remove them from the filesystem. As I wish to be a good citizen, I share this knowledge, and I am told that this is wrong, and I need to use slapcat to export, delete my config files, then slapadd to import, using a different set of flags than ldapmodify. Perhaps, you can spare a moment of empathy to acknowledge how frustrating this must be for a user.

I appreciate your warnings, but given the cumbersome and, in my experience, dangerous nature of managing config files through ldapmodify, I am inclined to very carefully tweak the config files in the config directory. If, however, there was a convenient, safe wrapper, like visudo, or a reference to a reassuring doc that explains the right way to do things, then I would preach the good news.

A potentially minor improvement along these lines could be a very nice feature enhancement for OpenLDAP. Thank you for your consideration.