Nick Milas wrote:
Question 2. Is there a way we can add (manually, since conversion removed the ones which existed in initial configuration files) line breaks in olcAccess attribute value so it can be more legible (for administrative purposes)?
*You do not like this:*
dn: olcDatabase={-1}frontend,cn=config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read
*but prefer something like this:*
dn: olcDatabase={-1}frontend,cn=config olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: to dn.exact="" by * read olcAccess: to dn.base="cn=Subschema" by * read
I think it is legible. And the openldap ldif parser is still happy.
The quite old streamline editor sed helps.
#!/bin/sed -rf # Author: Harry Jede # produce human readable but still machine parseable # olcAccess lines and removes the ordering numbers in {} # because humans don't need them, really.
# the hole script s/^(olcAccess: ){[[:digit:]]+}(.*$)/\1\2/ $!{H;d} ${H;g;s/\n //g;s/[[:space:]]+by /\n by /g}
Use the script at your own risk! I have written it some month ago and it works for me. I do not cover that an entry in an ACL has the keyword *by* in the DN. Something like this: "cn=produced by company,dc=example,dc=com"
Usage examples on a Debian system:
a) small data # ldapsearch -LLLY external -H ldapi:/// -b 'olcDatabase={1}monitor,cn=config' 'olcaccess=*' olcaccess 2>/dev/null|fmt_olcAccess
dn: olcDatabase={1}monitor,cn=config olcAccess: to * by dn.exact="cn=admin,dc=delixs-schule,dc=de" read by set="[cn=admin,dc=delixs-schule,dc=de]/roleOccupant/member & user" read by * none
b) mouch more data
slapcat -n0 |fmt_olcAccess |less