--On Friday, September 22, 2017 8:38 AM -0400 Frank Swasey Frank.Swasey@uvm.edu wrote:
My take away from this lengthy discussion is the following:
- cn=config is not ready for "make; make test; make install" level of
upgrade. Until it is, it is not usable in a production environment.
I've been doing binary upgrades on deployments using cn=config for years (Since 2011 or so), with servers all across the globe. However, I didn't use ppolicy in my configurations. The real issue with ppolicy is that it shouldn't be shipping with a separate schema, and instead it should have its configuration schema fully internalized. I've already made a note to that that needs to be fixed for OpenLDAP 2.5 so it doesn't occur again. Outside of that, I'm not aware of it being deficient in comparison to slapd.conf, and I'm quite aware of numerous ways in which it is substantially better.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount wrote:
The real issue with ppolicy is that it shouldn't be shipping with a separate schema, and instead it should have its configuration schema fully internalized.
Hmm, you could say that about for standard schema file shipped by OpenLDAP but considered immutable (like core.schema etc.). Especially if you change the code to move schema declarations from a schema file to schema_prep.c or an overlay foobar.c your stuck with having to update cn=config: 1. Before software you must not add/remove the schema declaration. 2. After software you cannot add/remove the schema declaration.
Ciao, Michael.
openldap-technical@openldap.org