On Tue, Nov 27, 2018 at 3:17 PM Quanah Gibson-Mount quanah@symas.com wrote:
--On Tuesday, November 27, 2018 2:22 PM -0800 Daniel Howard dannyman@toldme.com wrote:
I had been yearning for a config file, and it turns out I had them all along!
It's a database, not configuration files. Removing files from underneath a database is generally not a good idea, although YMMV.
I am sharing my experience here, for the next person who finds themselves googling around, trying to figure out how to remove or tweak a config in OpenLDAP. It is nowhere near as complicated as what I had read.
This is the wrong advice. It is also fairly trivial to do what you avoided.
a) slapcat -n 0 -l /tmp/config.ldif b) Remove the duplicate entries from /tmp/config.ldif c) mv /path/to/current/config /path/to/current/config.old;mkdir -p /path/to/current/config d) slapadd -n 0 -l /tmp/config.ldif
I can see how a naive sysadmin might interpret the various text files in /etc/ldap/slapd.d/cn=config/ as configuration files ... that could be carefully edited by hand ... or managed programatically through the local configuration management system.
I appreciate your admonition that this interpretation is wrong, and that these would-be "config" files in the system configuration file hierarchy are in fact a software-managed database, so we should not edit what appear to be plain text configuration files, but simply export them to a text file, carefully edit the export of the database, delete the entire config file hierarchy, and then reimport the database.
If I may make a minor feature suggestion: whenever I get a file into /etc that needs a special workflow, I like to put warnings in the comments at the top of such files, advising that the file(s) shouldn't be edited by hand, and explaining the proper workflow. (The visudo command is a golden standard in this regard.)
djh@djh-p5510 ~> sudo head -3 /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. #
Perhaps this is a consideration that is already on the roadmap?
Thanks, -danny
Daniel Howard wrote:
If I may make a minor feature suggestion: whenever I get a file into /etc that needs a special workflow, I like to put warnings in the comments at the top of such files, advising that the file(s) shouldn't be edited by hand, and explaining the proper workflow. (The visudo command is a golden standard in this regard.)
Open your eyes.
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 7ec5c1eb dn: cn=config objectClass: olcGlobal cn: config
djh@djh-p5510 ~> sudo head -3 /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. #
Perhaps this is a consideration that is already on the roadmap?
Thanks, -danny -- http://dannyman.toldme.com
--On Wednesday, November 28, 2018 10:16 AM -0800 Daniel Howard dannyman@toldme.com wrote:
# This file MUST be edited with the 'visudo' command as root. #
Perhaps this is a consideration that is already on the roadmap?
You mean like it already does? :)
head -1 cn=config.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org