Resending on-list.
On Wed, Apr 20, 2011 at 1:33 PM, Simone Piccardi piccardi@truelite.it wrote:
On 20/04/2011 17:42, Jose Ildefonso Camargo Tolosa wrote:
Modern OpenLDAP does not use slapd.conf. Please read the OpenLDAP Admin guide.
Quanah: actually, documentation is not yet complete for cn=config, I had to actually convert my slapd.conf to cn=config using slaptest in order to find out how to do the same I had on slapd.conf on cn=config.
Ildefonso
That's the way I'm using it. And I suggest to anyone not needing to modify configurations on the fly to use it that way.
Because apart the missing documentation, I found difficult having to deal with the obscure attribute names and the complex directory structure (and the not so explicative file names used under it) that I found in /etc/ldap/slapd.d/.
Well, I actually got used to cn=config pretty quickly, nevertheless, I still find easier to understand and modify the slapd.conf file than the directory structure under slapd.d... it is definitely more complex (and I don't think it is easier to modify using a LDAP administration tool).
The "cn=config" replication suggested on the docs becomes useless when you need to use TLS, because, AFAIK, we don't have a way of having different TLS parameters for each replica (and, on a multi-master setup, you will likely have different servers, with different names, and thus: different SSL certificate).
I understand the needs for cn=config, but for the moment I don't need it. Having a file with a simple syntax that I can read and modify instead of a tree of LDIF files is far more convenient for me. So I hope that slapd.conf will remain supported.
+1, we shouldn't drop slapd.conf file.
Simone
Simone Piccardi Truelite Srl piccardi@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-1032433 50142 Firenze http://www.truelite.it Tel. +39-055-7879597 Fax. +39-055-7333336
Jose Ildefonso Camargo Tolosa wrote:
Resending on-list.
Well, I actually got used to cn=config pretty quickly, nevertheless, I still find easier to understand and modify the slapd.conf file than the directory structure under slapd.d... it is definitely more complex (and I don't think it is easier to modify using a LDAP administration tool).
The directory structure under slapd.d is private/internal to slapd.
Forget it is even there. As far as you're concerned, it does not even exist.
The only thing you should ever look at is the LDAP DIT, whether returned by slapcat, ldapsearch, or your LDAP GUI browser of choice.
The "cn=config" replication suggested on the docs becomes useless when you need to use TLS, because, AFAIK, we don't have a way of having different TLS parameters for each replica (and, on a multi-master setup, you will likely have different servers, with different names, and thus: different SSL certificate).
Actually no, every syncrepl directive can have its own unique set of TLS parameters. And anyway, usually all of the servers communicating with each other at a site will have the same security requirements and thus the same TLS parameters. The actual certificates might be different, but since they (currently) live in the filesystem there's no need to reflect that difference in the slapd configuration. E.g., every server can point to "/etc/ssl/my-server-cert.pem" and that file can be unique to each server.
Hi Howard,
The directory structure under slapd.d is private/internal to slapd. Forget it is even there. As far as you're concerned, it does not even exist.
Could you please concretly explain how you let say tune or add rootdse operational attributes imediatly after having installed a fresh openldap2.4 distribution without editing files ?
more simple : How you define or change the rootpw still without editing files ?
--- Olivier
On Wed, Apr 20, 2011 at 10:38 PM, Howard Chu hyc@symas.com wrote:
Jose Ildefonso Camargo Tolosa wrote:
Resending on-list.
Well, I actually got used to cn=config pretty quickly, nevertheless, I still find easier to understand and modify the slapd.conf file than the directory structure under slapd.d... it is definitely more complex (and I don't think it is easier to modify using a LDAP administration tool).
The directory structure under slapd.d is private/internal to slapd.
Forget it is even there. As far as you're concerned, it does not even exist.
The only thing you should ever look at is the LDAP DIT, whether returned by slapcat, ldapsearch, or your LDAP GUI browser of choice.
The "cn=config" replication suggested on the docs becomes useless when you need to use TLS, because, AFAIK, we don't have a way of having different TLS parameters for each replica (and, on a multi-master setup, you will likely have different servers, with different names, and thus: different SSL certificate).
Actually no, every syncrepl directive can have its own unique set of TLS parameters. And anyway, usually all of the servers communicating with each other at a site will have the same security requirements and thus the same TLS parameters. The actual certificates might be different, but since they (currently) live in the filesystem there's no need to reflect that difference in the slapd configuration. E.g., every server can point to "/etc/ssl/my-server-cert.pem" and that file can be unique to each server.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Olivier wrote:
Hi Howard,
The directory structure under slapd.d is private/internal to slapd. Forget it is even there. As far as you're concerned, it does not even exist.
Could you please concretly explain how you let say tune or add rootdse operational attributes imediatly after having installed a fresh openldap2.4 distribution without editing files ?
On a fresh installation that has not yet been configured:
slapadd -n0 dn: cn=config cn: config objectclass: olcglobal olcRootDSE: /some/text/file <EOF>
more simple : How you define or change the rootpw still without editing files ?
slapadd -n0 dn: cn=config objectClass: olcGlobal cn: config
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: MySecretPassword <EOF>
On 20/04/2011 22:38, Howard Chu wrote:
Jose Ildefonso Camargo Tolosa wrote:
Resending on-list.
Well, I actually got used to cn=config pretty quickly, nevertheless, I still find easier to understand and modify the slapd.conf file than the directory structure under slapd.d... it is definitely more complex (and I don't think it is easier to modify using a LDAP administration tool).
The directory structure under slapd.d is private/internal to slapd.
Forget it is even there. As far as you're concerned, it does not even exist.
The only thing you should ever look at is the LDAP DIT, whether returned by slapcat, ldapsearch, or your LDAP GUI browser of choice.
That's really bad news.
Sorry, probably I'm just an old style Unix admin, but I don't like at all to be forced to use any kind of program different from an editor to do a server configuration.
That's a major strenght of an Unix system, and giving it away is very bad. I understand that in some case it will be needed, what I don't agree is forcing this choice for all the cases.
Regards Simone
On 04/21/2011 12:19 PM, piccardi wrote:
On 20/04/2011 22:38, Howard Chu wrote:
Jose Ildefonso Camargo Tolosa wrote:
Resending on-list. Well, I actually got used to cn=config pretty quickly, nevertheless, I still find easier to understand and modify the slapd.conf file than the directory structure under slapd.d... it is definitely more complex (and I don't think it is easier to modify using a LDAP administration tool).
The directory structure under slapd.d is private/internal to slapd.
Forget it is even there. As far as you're concerned, it does not even exist.
The only thing you should ever look at is the LDAP DIT, whether returned by slapcat, ldapsearch, or your LDAP GUI browser of choice.
That's really bad news.
Sorry, probably I'm just an old style Unix admin, but I don't like at all to be forced to use any kind of program different from an editor to do a server configuration.
That's a major strenght of an Unix system, and giving it away is very bad. I understand that in some case it will be needed, what I don't agree is forcing this choice for all the cases.
Regards Simone
Hi,
The script ldapedit mentioned earlier open up entries in your editor of choice.
I personally use this fine little ldap editor with vi's basic syntax: http://www.lichteblau.com/ldapvi/
It is very configurable, has a small footprint, few dependencies and let you add, modify all your ldap entries. Regards
François
openldap-technical@openldap.org
-
François Périchon -
Howard Chu -
Jose Ildefonso Camargo Tolosa -
Olivier -
piccardi