On Wed, Nov 28, 2018 at 11:05 AM Quanah Gibson-Mount quanah@symas.com wrote:
--On Wednesday, November 28, 2018 10:16 AM -0800 Daniel Howard dannyman@toldme.com wrote:
# This file MUST be edited with the 'visudo' command as root.
Perhaps this is a consideration that is already on the roadmap?
You mean like it already does? :)
head -1 cn=config.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
Quanah, (and Howard)
That is certainly a warning. It would be more easily noticed with a bit more whitespace around it, as you find in the sudoers file. This warning is not as helpful as the visudo warning, as it does not give the user a way to edit the file. A wrapper script, or a link to a good document on managing configurations, would be more useful.
For example, if I follow the advice in sudoers, and I type "visudo" then I get to edit /etc/sudoers, with a validation before the file can go live. This is fantastic!
If I follow the advice here, and type "ldapmodify" then I get an error message. If I research the correct command line, then, in my experience, I manage to import multiple conflicting configs into the system that crash the server. I then research some more, and find that ldapmodify can not delete the conflicting configs. I research some more, and learn that I could just remove them from the filesystem. As I wish to be a good citizen, I share this knowledge, and I am told that this is wrong, and I need to use slapcat to export, delete my config files, then slapadd to import, using a different set of flags than ldapmodify. Perhaps, you can spare a moment of empathy to acknowledge how frustrating this must be for a user.
I appreciate your warnings, but given the cumbersome and, in my experience, dangerous nature of managing config files through ldapmodify, I am inclined to very carefully tweak the config files in the config directory. If, however, there was a convenient, safe wrapper, like visudo, or a reference to a reassuring doc that explains the right way to do things, then I would preach the good news.
A potentially minor improvement along these lines could be a very nice feature enhancement for OpenLDAP. Thank you for your consideration.
Sincerely, -danny
--On Monday, December 03, 2018 1:57 PM -0800 Daniel Howard dannyman@toldme.com wrote:
A potentially minor improvement along these lines could be a very nice feature enhancement for OpenLDAP. Thank you for your consideration.
You're talking about two things: a) slapmodify, which is slated for release with OpenLDAP 2.5, which allows offline modifications of cn=config, and b) delete support in cn=config, also slated for release with OpenLDAP 2.5.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Daniel Howard dannyman@toldme.com schrieb am 03.12.2018 um 22:57 in Nachricht
CAKU=tE8u-sSzUTx1_S1LsNF3FqNtQ5eYzZu9j785gpZB5F2wbA@mail.gmail.com:
On Wed, Nov 28, 2018 at 11:05 AM Quanah Gibson-Mount quanah@symas.com wrote:
--On Wednesday, November 28, 2018 10:16 AM -0800 Daniel Howard dannyman@toldme.com wrote:
# This file MUST be edited with the 'visudo' command as root.
Perhaps this is a consideration that is already on the roadmap?
You mean like it already does? :)
head -1 cn=config.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
Quanah, (and Howard)
That is certainly a warning. It would be more easily noticed with a bit more whitespace around it, as you find in the sudoers file. This warning is not as helpful as the visudo warning, as it does not give the user a way to edit the file. A wrapper script, or a link to a good document on managing configurations, would be more useful.
For example, if I follow the advice in sudoers, and I type "visudo" then I get to edit /etc/sudoers, with a validation before the file can go live. This is fantastic!
You miss one important thing: /etc/sudoers is expected to be edited by humans, while the cn=config ares are not!
If I follow the advice here, and type "ldapmodify" then I get an error message. If I research the correct command line, then, in my experience, I manage to import multiple conflicting configs into the system that crash the server. I then research some more, and find that ldapmodify can not
You can backup your server before doing changes, undoing changes afterwards.
delete the conflicting configs. I research some more, and learn that I could just remove them from the filesystem. As I wish to be a good citizen, I share this knowledge, and I am told that this is wrong, and I need to use slapcat to export, delete my config files, then slapadd to import, using a different set of flags than ldapmodify. Perhaps, you can spare a moment of empathy to acknowledge how frustrating this must be for a user.
Well, removing files actually works a bit, but only as a temporary solution until you get slapd up and running. It's like entering the house through a broken window when you forgot your key...
I appreciate your warnings, but given the cumbersome and, in my experience, dangerous nature of managing config files through ldapmodify, I am inclined to very carefully tweak the config files in the config directory. If,
No: Actually changing config files through ldapmodify is _much_ safer than editing them by hand.
however, there was a convenient, safe wrapper, like visudo, or a reference to a reassuring doc that explains the right way to do things, then I would preach the good news.
See my first statement.
A potentially minor improvement along these lines could be a very nice feature enhancement for OpenLDAP. Thank you for your consideration.
Maybe a better enhancement would be a snapshotting mechanism for cn=config to save a "last good" configuration, combined with an easy (automatic?) recovery to that if the current configuratioin fails to launch slapd.
Regards, Ulrich
openldap-technical@openldap.org