On 8/22/20 4:52 AM, Quanah Gibson-Mount wrote:
--On Friday, August 21, 2020 8:47 PM -0500 David Arnold dar@xoe.solutions wrote:
# yes, really read-only! readonly on restrict write
That's... really really dumb. It should absolutely be possible to tweak things in the cn=config db.
For Æ-DIR I deliberately chose ansible as authorative config management which generates static site-specific slapd.conf for all the replicas. (I don't want to start yet another fight about the pros and cons here. Raise your questions off-list why I'm doing this.)
In this case it would be really really dumb to allow direct altering of cn=config and would cause lots of trouble for the average sysadmin. cn=config is provided read-only for the monitoring check.
David is using Æ-DIR in a non-supported container setup experimenting with a PKI issuing short-term certs. While it's somewhat interesting what will come out of these experiments I have to emphasize that it's far from standard Æ-DIR operation.
Ciao, Michael.