We use puppet here... for openldap, it's ONLY useful for initial config. For
modifications of openldap config, there's no mechanism to enable that, and any
mechanism that DID exist would have to be aware of the current state.
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Quanah Gibson-Mount
Sent: Friday, February 03, 2012 11:01 AM
To: Charles T. Brooks
Subject: RE: Best Practices for configuration management with cn=config?
--On Friday, February 03, 2012 1:57 PM -0500 "Charles T. Brooks"
Quanah, could you elaborate at little on this comment?
> The cn=config method IS a database, not a set of flat text files.
> Modifications to the configuration are immediate with the exception
> of changes to olcSecurity.
I'm just starting to convert a heavily replicated environment to
cn=config, and I (apparently stupidly) thought that slapd.d was a live
database. Is the cn=config database held by sleepycat then, mixed up
with my user and system data in /var/lib/ldap? Or is it in memory only?
cn=config is indeed a live database, so thinking that is in no way stupid ;). My point
was, that you cannot just go and edit the cn=config database with something like
'vi'. The correct method is to use something like ldapmodify, etc.
Also, the olcSecurity exception - why aren't changes to security
Because it requires restarting slapd to take effect, due to the way in which it affects
the connection handler. AFAIK, this is the only exception. Security changes to acls
(such as SSF lines) are immediate.
I'll appreciate any insights you can share - I prefer slapd.conf
personally, but I want to proceed in the direction the code authors
favor, since they almost certainly have a clearer vision of what's
optimal for the future of the software than I do.
Currently I make changes by shutting down slapd, deleting slapd.d,
rebuilding slapd.d from my slapd.conf with slaptest, and restarting
slapd. Works for me right now, but I hope to progress past it.
That definitely is not the correct approach. You should just be using ldapmodify or
similar to update the cn=config db. ;)
Sr. Member of Technical Staff
A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.