Quanah Gibson-Mount wrote:
--On Thursday, April 18, 2013 7:18 AM -0300 Diego Woitasen diego@woitasen.com.ar wrote:
I know that I could remove it from the filesystem, but I wouldn't.
You can use slapcat -n 0 to export your cn=config database to LDIF. Modify the LDIF for cn=config to no longer reference back-shell, and then reload your cn=config DB using slapadd -n 0.
IIRC the official OpenLDAP developer statement about this approach was up to now: Don't do that!
Personally I'd like to see some sort of offline mode for slapd that allows you to purely edit cn=config over ldapi:/// where slapd only accepts connections from the rootdn, and will only respond to queries against the cn=config DIT.
Well, the ldapi:/// thing already works. Only for default builds deleting something from cn=config does not work at all.
How about the following: Allow entry deletion under cn=config only if ManageDsaIT or Relax Rules Control control is used. This would make it very clear that the deployer changing configuration cannot expect that every sequence of changes simply works without causing a downtime for clients or even failing in between.
Ciao, Michael.