On Fri, Sep 15, 2017 at 10:55:10AM +0100, Dameon Wagner wrote:
On Fri, Sep 15 2017 at 11:22:44 +0200, Michael Ströder scribbled
I already though about writing an ansible module doing the idempotent diffs via LDAP. But the hard part is a roll-back or removing parts since back-config does not support delete operations in 2.4.x. IMO it's not worth the effort, also because one would have to keep a complete representation of cn=config as static file anway.
I completely agree. I really hope that if/when slapd.conf support is removed there's already some form of "conventional" configuration management integration available.
cn=config delete support exists in master, as well as slapmodify tools that work on cn=config and, with a tiny nudge (cn=config suffix itself is reserved for back-config), the underlying ldif database if you really do get into a bind. And slaptest works with cn=config just fine already. All that will have been firmly in place by the time slapd.conf is removed.
What you really need is ldif diff tools and you might have luck perusing the OpenLDAP source tree or elsewhere (ldapvi?).
I know LDAP TXN support for cn=config might be just what you'd see as the silver bullet but I don't see that happening, not yet, sorry.
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP