10:16 a.m.
On Tue, Nov 27, 2018 at 3:17 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
--On Tuesday, November 27, 2018 2:22 PM -0800 Daniel Howard
<dannyman(a)toldme.com> wrote:
> I had been yearning for a config file, and it turns out I had
them all
> along!
It's a database, not configuration files. Removing files from underneath
a
database is generally not a good idea, although YMMV.
> I am sharing my experience here, for the next person who finds themselves
> googling around, trying to figure out how to remove or tweak a config in
> OpenLDAP. It is nowhere near as complicated as what I had read.
This is the wrong advice. It is also fairly trivial to do what you
avoided.
a) slapcat -n 0 -l /tmp/config.ldif
b) Remove the duplicate entries from /tmp/config.ldif
c) mv /path/to/current/config /path/to/current/config.old;mkdir -p
/path/to/current/config
d) slapadd -n 0 -l /tmp/config.ldif
I can see how a naive sysadmin might interpret the various text files in
/etc/ldap/slapd.d/cn=config/ as configuration files ... that could be
carefully edited by hand ... or managed programatically through the local
configuration management system.
I appreciate your admonition that this interpretation is wrong, and that
these would-be "config" files in the system configuration file hierarchy
are in fact a software-managed database, so we should not edit what appear
to be plain text configuration files, but simply export them to a text
file, carefully edit the export of the database, delete the entire config
file hierarchy, and then reimport the database.
If I may make a minor feature suggestion: whenever I get a file into /etc
that needs a special workflow, I like to put warnings in the comments at
the top of such files, advising that the file(s) shouldn't be edited by
hand, and explaining the proper workflow. (The visudo command is a golden
standard in this regard.)
djh@djh-p5510 ~> sudo head -3 /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
Perhaps this is a consideration that is already on the roadmap?
Thanks,
-danny
--
http://dannyman.toldme.com
11:03 a.m.
New subject: On removing a duplicated ppolicy overlay
Daniel Howard wrote:
If I may make a minor feature suggestion: whenever I get a file into
/etc that needs a special workflow, I like to put warnings in the comments at the top of
such files, advising that the file(s) shouldn't be edited by hand, and explaining the
proper workflow. (The visudo command is a golden standard in this regard.)
Open your eyes.
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 7ec5c1eb
dn: cn=config
objectClass: olcGlobal
cn: config
djh@djh-p5510 ~> sudo head -3 /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
Perhaps this is a consideration that is already on the roadmap?
Thanks,
-danny
--
http://dannyman.toldme.com
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11:05 a.m.
New subject: On removing a duplicated ppolicy overlay
--On Wednesday, November 28, 2018 10:16 AM -0800 Daniel Howard
<dannyman(a)toldme.com> wrote:
# This file MUST be edited with the 'visudo' command as root.
#
Perhaps this is a consideration that is already on the roadmap?
You mean like it already does? :)
head -1 cn\=config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
1642
days inactive
1642
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
Daniel Howard -
Howard Chu -
Quanah Gibson-Mount