Michael Ströder wrote:
HI!
I have to admit that when writing a static slapd.conf I do not make any distinction regarding global config section and frontend config section.
So I wonder which criteria are applied to determine whether a parameter is put into cn=config (olcGlobal) or olcDatabase={-1}frontend (olcFrontendConfig) when converting slapd.conf to dynamic config.
In OpenLDAP 2.3 most global parameters were put into olcGlobal. We moved parameters into olcFrontendConfig in OpenLDAP 2.4 whenever we found an item that might depend on a loadable module, since olcModules are processed after olcGlobal. The parser still accepts these items in olcGlobal, to retain compatibility with configs migrated from 2.3, but in freshly generated configs, the 2.4 olcGlobal will omit them.
Looking at a concrete configuration it does not make sense to me to put attribute olcPasswordHash into olcDatabase={-1}frontend while putting olcPasswordCryptSaltFormat into cn=config. There could even be conflicting values in both entries.
A salt format is just a plain string, so it has no particular dependencies. A hash requires actual code to implement it, and may depend on olcModule.
Background: I'd like to determine which password hash scheme and salt format is configured by searching in back-config.
Ciao, Michael.