I'm just getting started with OpenLDAP and I've just hit my first roadblock - the quickstart guide (http://www.openldap.org/doc/admin24/quickstart.html) refers to a slapd.conf file which is nowhere to be found on my system. A bit of research revealed that slapd.conf has been deprecated. Is there a quick-start guide anywhere that is up-to-date with this change?
On Tue, 19 Oct 2010, Anders Geffen wrote:
I'm just getting started with OpenLDAP and I've just hit my first roadblock - the quickstart guide (http://www.openldap.org/doc/admin24/quickstart.html) refers to a slapd.conf file which is nowhere to be found on my system. A bit of research revealed that slapd.conf has been deprecated. Is there a quick-start guide anywhere that is up-to-date with this change?
I think you've raised a valid point and if there's not a documentation ITS for this, there probably should be...but, with that said:
0. Although it's a legacy format, OpenLDAP 2.4 fully supports slapd.conf. Even if your distribution didn't provide an example or documentation to the path, you should be able to find it easily on a missing installation:
$ slaptest could not stat config file "/etc/openldap/slapd.conf": No such file or directory (2) slaptest: bad configuration file!
or, if it's trying to read a (possibly incomplete) back-config slapd.d, mv that out of the way and it will fall back to slapd.conf. So you can find the path where "slapd.conf should be" and then use the Quick Start as written.
1. Alternately, create the slapd.conf as described in Quick Start step #8, just saving it in your home directory or any other arbitrary location. Then, jump ahead in the guide to section 5.4 to learn how to convert it to back-config and how to start slapd(8) appropriately with your new slapd.d.
On Tuesday, 19 October 2010 16:17:18 Anders Geffen wrote:
I'm just getting started with OpenLDAP and I've just hit my first roadblock
- the quickstart guide
(http://www.openldap.org/doc/admin24/quickstart.html) refers to a slapd.conf file which is nowhere to be found on my system.
The fact that you don't have one on your system doesn't mean it isn't provided by the project: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/slapd.conf?hideattic=...
(and, note, it is installed by default, see the 'install-conf' rule in http://www.openldap.org/devel/cvsweb.cgi/~checkout~/servers/slapd/Makefile.i...)
A bit of research revealed that slapd.conf has been deprecated.
slapd.conf(5) has one occurrence of the word 'deprecated', in relation to 'authz-policy any'. slapd-config(5) doesn't make any such statement.
I haven't seen any official communication about deprecation (even though Quanah has made statements on this list).
Is there a quick-start guide anywhere that is up-to-date with this change?
Assuming you didn't install from source, consult whoever provided you with OpenLDAP without a slapd.conf.
Regards, Buchan
On Wed, Oct 20, 2010 at 7:54 AM, Buchan Milne bgmilne@staff.telkomsa.net wrote:
Assuming you didn't install from source, consult whoever provided you with OpenLDAP without a slapd.conf.
I'm guessing that's Canonical; the slapd package shipped for Ubuntu has no slapd.conf, just a slapd.d/cn=config tree. Maybe they jumped the gun a bit, but I've seen lots of (at least unofficial) mentions that the slapd.conf style is outdated and back-config is the way to go. Which makes using slapd.conf for a brand new installation feel unwise. Old-fashioned, at best. I seem to recall reading as much in the documentation somewhere, too, but I won't swear to it.
However, the new hotness is not, as far as I can tell, well-documented. Things like slapd-ldap(5)'s CONFIGURATION section say absolutely nothing about back-config; I had to read the source code to find the mapping from configuration parameters (like "acl-authcDN") to LDAP attributes (like "olcDbACLAuthcDN"). So, currently, it seems the easiest way to create a back-config is to write a slapd.conf and then convert it with slaptest.
All of which is bound to leave the beginning openldap admin a tiny bit confused. What's considered best practice right now for new installs?
Thanks Mark, Buchan and Aaron for your responses.
In fact, it was the Fedora-provided package that I installed; it also does not include slapd.conf. Taking Buchan's advice, I removed the Fedora package and built from source (version 2.4.23) and slapd.conf is there.
I'm interested in the consensus answer to your question:
All of which is bound to leave the beginning openldap admin a tiny bit confused. What's
considered best practice right now for new
installs?
It sounds like for now the safest bet is to use slapd.conf - I'll go that route for now I guess.
Thanks, Anders
--- On Wed, 10/20/10, Mark J. Reed markjreed@gmail.com wrote:
From: Mark J. Reed markjreed@gmail.com Subject: Re: quick-start guide out-of-date To: "Buchan Milne" bgmilne@staff.telkomsa.net Cc: openldap-technical@openldap.org, "Anders Geffen" anders.geffen@yahoo.com Date: Wednesday, October 20, 2010, 5:33 PM
On Wed, Oct 20, 2010 at 7:54 AM, Buchan Milne bgmilne@staff.telkomsa.net wrote:
Assuming you didn't install from source, consult whoever provided you with OpenLDAP without a slapd.conf.
I'm guessing that's Canonical; the slapd package shipped for Ubuntu has no slapd.conf, just a slapd.d/cn=config tree. Maybe they jumped the gun a bit, but I've seen lots of (at least unofficial) mentions that the slapd.conf style is outdated and back-config is the way to go. Which makes using slapd.conf for a brand new installation feel unwise. Old-fashioned, at best. I seem to recall reading as much in the documentation somewhere, too, but I won't swear to it.
However, the new hotness is not, as far as I can tell, well-documented. Things like slapd-ldap(5)'s CONFIGURATION section say absolutely nothing about back-config; I had to read the source code to find the mapping from configuration parameters (like "acl-authcDN") to LDAP attributes (like "olcDbACLAuthcDN"). So, currently, it seems the easiest way to create a back-config is to write a slapd.conf and then convert it with slaptest.
All of which is bound to leave the beginning openldap admin a tiny bit confused. What's considered best practice right now for new installs?
Mark J. Reed wrote:
On Wed, Oct 20, 2010 at 7:54 AM, Buchan Milne bgmilne@staff.telkomsa.net wrote:
Assuming you didn't install from source, consult whoever provided you with OpenLDAP without a slapd.conf.
I'm guessing that's Canonical; the slapd package shipped for Ubuntu has no slapd.conf, just a slapd.d/cn=config tree. Maybe they jumped the gun a bit, but I've seen lots of (at least unofficial) mentions that the slapd.conf style is outdated and back-config is the way to go. Which makes using slapd.conf for a brand new installation feel unwise. Old-fashioned, at best. I seem to recall reading as much in the documentation somewhere, too, but I won't swear to it.
However, the new hotness is not, as far as I can tell, well-documented. Things like slapd-ldap(5)'s CONFIGURATION section say absolutely nothing about back-config; I had to read the source code to find the mapping from configuration parameters (like "acl-authcDN") to LDAP attributes (like "olcDbACLAuthcDN"). So, currently, it seems the easiest way to create a back-config is to write a slapd.conf and then convert it with slaptest.
No need to read the source code, just do an ldapsearch on "cn=schema,cn=config".
All of which is bound to leave the beginning openldap admin a tiny bit confused. What's considered best practice right now for new installs?
Buchan Milne wrote:
On Tuesday, 19 October 2010 16:17:18 Anders Geffen wrote:
A bit of research revealed that slapd.conf has been deprecated.
slapd.conf(5) has one occurrence of the word 'deprecated', in relation to 'authz-policy any'. slapd-config(5) doesn't make any such statement.
I haven't seen any official communication about deprecation (even though Quanah has made statements on this list).
It probably won't be dropped by OpenLDAP 2.5. It certainly will by 3.0. You ought to be using your time on 2.4 at least getting familiar with cn=config.
openldap-technical@openldap.org
-
Aaron Richton -
Anders Geffen -
Buchan Milne -
Howard Chu -
Mark J. Reed