>> Daniel Howard <dannyman(a)toldme.com> schrieb am
03.12.2018 um 22:57 in Nachricht
On Wed, Nov 28, 2018 at 11:05 AM Quanah Gibson-Mount
> --On Wednesday, November 28, 2018 10:16 AM -0800 Daniel Howard
> <dannyman(a)toldme.com> wrote:
> ># This file MUST be edited with the 'visudo' command as root.
> > Perhaps this is a consideration that is already on the roadmap?
> You mean like it already does? :)
> head -1 cn\=config.ldif
> # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
Quanah, (and Howard)
That is certainly a warning. It would be more easily noticed with a bit
more whitespace around it, as you find in the sudoers file. This warning is
not as helpful as the visudo warning, as it does not give the user a way to
edit the file. A wrapper script, or a link to a good document on managing
configurations, would be more useful.
For example, if I follow the advice in sudoers, and I type "visudo" then I
get to edit /etc/sudoers, with a validation before the file can go live.
This is fantastic!
You miss one important thing: /etc/sudoers is expected to be edited by humans, while the
cn=config ares are not!
If I follow the advice here, and type "ldapmodify" then I get an error
message. If I research the correct command line, then, in my experience, I
manage to import multiple conflicting configs into the system that crash
the server. I then research some more, and find that ldapmodify can not
You can backup your server before doing changes, undoing changes afterwards.
delete the conflicting configs. I research some more, and learn that
could just remove them from the filesystem. As I wish to be a good citizen,
I share this knowledge, and I am told that this is wrong, and I need to use
slapcat to export, delete my config files, then slapadd to import, using a
different set of flags than ldapmodify. Perhaps, you can spare a moment of
empathy to acknowledge how frustrating this must be for a user.
Well, removing files actually works a bit, but only as a temporary solution until you get
slapd up and running.
It's like entering the house through a broken window when you forgot your key...
I appreciate your warnings, but given the cumbersome and, in my experience,
dangerous nature of managing config files through ldapmodify, I am inclined
to very carefully tweak the config files in the config directory. If,
No: Actually changing config files through ldapmodify is _much_ safer than editing them by
however, there was a convenient, safe wrapper, like visudo, or a
to a reassuring doc that explains the right way to do things, then I would
preach the good news.
See my first statement.
A potentially minor improvement along these lines could be a very nice
feature enhancement for OpenLDAP. Thank you for your consideration.
Maybe a better enhancement would be a snapshotting mechanism for cn=config to save a
"last good" configuration, combined with an easy (automatic?) recovery to that
if the current configuratioin fails to launch slapd.