Greetings.
Documentation such as [1] notes that there is a one-to-one correspondence between slapd.conf directives and slapd-config database attributes. However it's not always completely clear just what the mapping is.
For example, both [2] and slapo-syncprov(5) describe syncprov-checkpoint. This corresponds to the attribute olcSpCheckpoint, but I can't find where it is I learned that mapping (I probably stumbled across it via [3]), so can't point to chapter and verse in my own documentation and notes.
I would have thought the documentation for the olcSyncProvConfig objectClass would explain this, but I can't find any such documentation, nor even a schema for that objectClass [4].
The problem (and my puzzlement) is not unique to the syncprov overlay.
Best wishes,
Norman
[1] https://www.openldap.org/doc/admin24/slapdconf2.html [2] https://openldap.org/doc/admin24/overlays.html [3] https://mishikal.wordpress.com/2019/04/23/configuring-mmr-using-delta-syncre... [4] Ie, grep -i syncprov /usr/local/etc/openldap/schema/* (and similar) produces nothing.
--On Thursday, July 16, 2020 2:11 PM +0100 Norman Gray gray@nxg.name wrote:
Greetings.
Documentation such as [1] notes that there is a one-to-one correspondence between slapd.conf directives and slapd-config database attributes. However it's not always completely clear just what the mapping is.
See bugs: 5915, 6277, 7335, 8742
Patches welcome where appropriate.
For example, both [2] and slapo-syncprov(5) describe syncprov-checkpoint. This corresponds to the attribute olcSpCheckpoint, but I can't find where it is I learned that mapping (I probably stumbled across it via [3]), so can't point to chapter and verse in my own documentation and notes.
I would have thought the documentation for the olcSyncProvConfig objectClass would explain this, but I can't find any such documentation, nor even a schema for that objectClass [4].
Overlay objectClasses are defined in the code for the overlay.
https://git.openldap.org/openldap/openldap/-/blob/master/servers/slapd/overlays/syncprov.c#L3160
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount wrote:
--On Thursday, July 16, 2020 2:11 PM +0100 Norman Gray gray@nxg.name wrote:
Greetings.
Documentation such as [1] notes that there is a one-to-one correspondence between slapd.conf directives and slapd-config database attributes. However it's not always completely clear just what the mapping is.
See bugs: 5915, 6277, 7335, 8742
Patches welcome where appropriate.
For example, both [2] and slapo-syncprov(5) describe syncprov-checkpoint. This corresponds to the attribute olcSpCheckpoint, but I can't find where it is I learned that mapping (I probably stumbled across it via [3]), so can't point to chapter and verse in my own documentation and notes.
I would have thought the documentation for the olcSyncProvConfig objectClass would explain this, but I can't find any such documentation, nor even a schema for that objectClass [4].
Overlay objectClasses are defined in the code for the overlay.
https://git.openldap.org/openldap/openldap/-/blob/master/servers/slapd/overlays/syncprov.c#L3160
All of the schema is always retrievable from slapd itself, either by querying cn=Subschema or cn=schema,cn=config.
Quanah and Howard, hello.
On 16 Jul 2020, at 16:29, Quanah Gibson-Mount wrote:
Documentation such as [1] notes that there is a one-to-one correspondence between slapd.conf directives and slapd-config database attributes. However it's not always completely clear just what the mapping is.
See bugs: 5915, 6277, 7335, 8742
Right -- I see. Thanks.
I appreciate the point in https://bugs.openldap.org/show_bug.cgi?id=5915 that documenting both sets of directives would be quite a lot of work, which might have to be more-or-less redone when slapd.conf support is removed in 2.6/3.0 (hooray).
As an interim alternative, it would probably be lowish-effort, but useful, if eg slapo-syncprov(5) and friends said something like the following, at the end of the '.SH CONFIGURATION' section:
Note that the above are .B slapd.conf configuration options. These will be replaced by .B slapd.d options (see .B slapd-config(5) for details) in a forthcoming release. Until then, you can deduce the names of the .B slapd.d attributes by examining the source files in [suitable URL, such as at git.openldap.org, or simply a reference to servers/slapd/overlays in the distribution].
The same text could be dumped into all or most of the slapo-* manpages. It's incomplete, but it would be better than nothing, in that it would reassure the reader that there isn't some collection of documentation they've completely missed, and that the documentation isn't somehow out of date, by still referring to slapd.conf-style attributes.
I have an alternative, possibly better, suggestion below.
Patches welcome where appropriate.
If it were simply a case of the above, then yes, I could do the labour of the edit and send you a patch. But I don't think I've the standing to be creative here (!).
Overlay objectClasses are defined in the code for the overlay.
https://git.openldap.org/openldap/openldap/-/blob/master/servers/slapd/overlays/syncprov.c#L3160
Thanks -- at least I'm not missing something obvious!
Separately, Howard Chu said:
All of the schema is always retrievable from slapd itself, either by querying cn=Subschema or cn=schema,cn=config.
That looks perfect in principle, and I see you made a similar remark in https://bugs.openldap.org/show_bug.cgi?id=7335. However the first way that occurred to me to search for this:
# slapcat -b cn=config | grep cn=schema dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config
...didn't produce the results I expected.
I find I can do
% ldapsearch -x -b cn=schema,cn=config -D cn=config -w PASSWORD '(objectclass=*)'
and grub through the output to find
olcObjectClasses: ( OLcfgOvOc:1.1 NAME 'olcSyncProvConfig' DESC 'SyncRepl Prov ider configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcSpCheckpoint $ o lcSpSessionlog $ olcSpNoPresent $ olcSpReloadHint ) )
Is that what you meant, Howard? If so, then yes, a schema; but looking there really, really, isn't obvious from slapd-config(5). It is described there under 'schema options', and there's nothing wrong with the text, but one has to know it's there beforehand, in order to find it.
I think none of your users would feel at all insulted by being given slightly more of a hint there or in, say, slapd.overlays(5).
(I've spent enough time with OpenLDAP to be able to parse that attribute value by eye, and recognise it as not line-noise).
To be concrete, how about, in slapd.overlays,
.SH SCHEMAS The schemas for these overlays are documented in the corresponding .B slapo-<overlay> (5) manpages, in the form appropriate for .B slapd.conf configuration. The schemas are loaded dynamically, and can be found either in the overlay source code, or else searching for the appropriate attributes under .B cn=schema,cn=config For example .B ldapsearch -x -b cn=schema,cn=config -s base -D cn=config -w PASSWORD '(objectclass=*)' olcobjectclasses See the .B slapd-config manpage for discussion of the olcObjectClasses attribute.
I found and read the slapd.overlays manpage early in my search for this information. Something like the above would have led me to the information I needed very quickly.
Best wishes,
Norman
Norman Gray wrote:
Separately, Howard Chu said:
All of the schema is always retrievable from slapd itself, either by querying cn=Subschema or cn=schema,cn=config.
That looks perfect in principle, and I see you made a similar remark in https://bugs.openldap.org/show_bug.cgi?id=7335. However the first way that occurred to me to search for this:
# slapcat -b cn=config | grep cn=schema dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config
...didn't produce the results I expected.
slapcat is not querying slapd, so no.
I find I can do
% ldapsearch -x -b cn=schema,cn=config -D cn=config -w PASSWORD '(objectclass=*)'
You should add "-s base" to this command, since hardcoded schema only appears in this entry.
and grub through the output to find
olcObjectClasses: ( OLcfgOvOc:1.1 NAME 'olcSyncProvConfig' DESC 'SyncRepl Prov ider configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcSpCheckpoint $ o lcSpSessionlog $ olcSpNoPresent $ olcSpReloadHint ) )
Is that what you meant, Howard? If so, then yes, a schema; but looking there really, really, isn't obvious from slapd-config(5). It is described there under 'schema options', and there's nothing wrong with the text, but one has to know it's there beforehand, in order to find it.
The slapd-config(5) manpage says explicitly
The cn=Schema entry contains all of the hardcoded schema elements. The children of this entry contain all user-defined schema elements.
But even if you didn't know that, you should already know that all LDAPv3 servers publish their schema, and you can find where that is by querying the subschemaSubentry attribute of any entry (including the rootDSE). In OpenLDAP this will always point to "cn=Subschema" - but you don't need to memorize that, ldapsearch will show you.
I think none of your users would feel at all insulted by being given slightly more of a hint there or in, say, slapd.overlays(5).
Users are expected to know how LDAP works already.
openldap-technical@openldap.org
-
Howard Chu -
Norman Gray -
Quanah Gibson-Mount