Hi @all
I've some questions regarding the "new" config interface from LDAP cn=config. For one month I was trying to set up a MultiMaster configuration with GSSAPI-auth (Kerb5) over TLS/SSL for three servers. I tried many ways to create a config with the cn=config interface but I failed every time.
Now my question: Is there a tutorial or howto which describes exactly my problem? Or does anybody run a bunch of server in this configuration?
Thanks a lot for your help, regards Andreas
On Mon, July 25, 2011 14:17, Andreas Laesser wrote:
Hi @all
I've some questions regarding the "new" config interface from LDAP cn=config. For one month I was trying to set up a MultiMaster configuration with GSSAPI-auth (Kerb5) over TLS/SSL for three servers. I tried many ways to create a config with the cn=config interface but I failed every time.
Now my question: Is there a tutorial or howto which describes exactly my problem? Or does anybody run a bunch of server in this configuration?
I've asked this question, but for some reason my post didn't make it to the list. I think you are supposed to create ldif files and use the slapadd to configure OpenLDAP. Seemed rather annoying to me, so I resort to editing slapd.conf and then running:
/etc/init.d/slapd stop cd /etc/openldap rm -Rf slapd.d mkdir slapd.d slaptest -f slapd.conf -F slapd.d chown -R ldap:ldap slapd.d /etc/init.d/slapd start
I know it beats the object of being able to make runtime changes to cn=config, but with lack of readable documentation, and the fact that I'm in test mode only, trying to learn OpenLDAP, this is the way I do it.
We'll see if this message makes it to the list...
On Thursday 28 July 2011 16:35:25 you wrote:
/etc/init.d/slapd stop cd /etc/openldap rm -Rf slapd.d mkdir slapd.d slaptest -f slapd.conf -F slapd.d chown -R ldap:ldap slapd.d /etc/init.d/slapd start
I know it beats the object of being able to make runtime changes to cn=config, but with lack of readable documentation, and the fact that I'm in test mode only, trying to learn OpenLDAP, this is the way I do it.
Great idea, so let's try to manage it like that... But my critism on the whole thing is, that -it seems- the new config system is cn=config, and it is so poor documented. There are so less howtos and other stuff in the web using cn=config.
One of my problems are to get the replication (n-way multi master with sasl and kerberos auth) working with the new configuration system, but I found none else having a configuration like mine.
regards Andreas
Andreas Laesser wrote:
On Thursday 28 July 2011 16:35:25 you wrote:
/etc/init.d/slapd stop cd /etc/openldap rm -Rf slapd.d mkdir slapd.d slaptest -f slapd.conf -F slapd.d chown -R ldap:ldap slapd.d /etc/init.d/slapd start
I know it beats the object of being able to make runtime changes to cn=config, but with lack of readable documentation, and the fact that I'm in test mode only, trying to learn OpenLDAP, this is the way I do it.
Great idea, so let's try to manage it like that... But my critism on the whole thing is, that -it seems- the new config system is cn=config, and it is so poor documented. There are so less howtos and other stuff in the web using cn=config.
So you're unable to read slapd-config(5)? Or the Admin Guide?
When a (hypothetical) document says: "digits" are characters in the range 0-9, e.g. '5' do you really need a HowTo spelling out the rest of the possible values?
One of my problems are to get the replication (n-way multi master with sasl and kerberos auth) working with the new configuration system, but I found none else having a configuration like mine.
regards Andreas
On 29/07/2011 08:47, Andreas Laesser wrote:
But my critism on the whole thing is, that -it seems- the new config system is cn=config, and it is so poor documented. There are so less howtos and other stuff in the web using cn=config.
My criticism is not about missing documentation. I think there is enough of that, and what missing could be added.
My criticism, if slapd.conf will be removed, is about the added complexity that will be imposed forcing the use of "cn=config" on all the people that don't need the benefits it gives.
I already stated the reasons for which I strongly prefer simple text configuration files for service deamons, so I won't repeat it here.
Simone
In my point of view, if the reason is only for resolve configuration change, it's a workaround and not a solution. look samba and smb.conf file management. I can read and write this file when smb deamon run, why slapd cannot made same think ?
----------------------------------- Stéphane PURNELLE Admin. Systèmes et Réseaux Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
openldap-technical-bounces@OpenLDAP.org wrote on 29/07/2011 11:51:04:
Simone Piccardi piccardi@truelite.it Envoyé par : openldap-technical-bounces@OpenLDAP.org
29/07/2011 12:04
A
openldap-technical@openldap.org
cc
Objet
Re: OpenLDAP configuration
On 29/07/2011 08:47, Andreas Laesser wrote:
But my critism on the whole thing is, that -it seems- the new
config system is
cn=config, and it is so poor documented. There are so less howtos and
other
stuff in the web using cn=config.
My criticism is not about missing documentation. I think there is enough
of that, and what missing could be added.
My criticism, if slapd.conf will be removed, is about the added complexity that will be imposed forcing the use of "cn=config" on all the people that don't need the benefits it gives.
I already stated the reasons for which I strongly prefer simple text configuration files for service deamons, so I won't repeat it here.
Simone
Simone Piccardi Truelite Srl piccardi@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-1032433 50142 Firenze http://www.truelite.it Tel. +39-055-7879597 Fax. +39-055-7333336
openldap-technical@openldap.org
-
Andreas Laesser -
Giles Coochey -
Howard Chu -
Simone Piccardi -
Stéphane PURNELLE