Re: Installation openLDAP in Debian
I wrote:
Simone Piccardi writes:
So now I need more logic, more programs, when I can do everything with
just an editor and some text when having a file.
(...)
slapd.conf is historyless too though, so I'm not sure what you mean with
tracking change logs if you did not want something like version control.
Whoops, I seem to have confused you with mr Guillard here.
Regarding the {number} prefixes he asked about, they are described here:
http://www.openldap.org/doc/admin24/slapdconf2.html#Configuration%20Layout
--
Hallvard
Re: Installation openLDAP in Debian
Hi! my +1 to not dismiss slapd.conf. I splitted my conf files in nested subdirectories, too. slapd.conf is very important for me! thanks, Fabio 2011/4/22 Marco Pizzoli marco.pizz...@gmail.com I completely agree. As I said, a little statistic to understand what people use could be interesting. For me comments and a text file config is mandatory. I am not configuring mysql.cnf using a mysql database. As it has been said before, once your setup is done, you barely change it. And a little restart is not a problem using replicas. If some colleagues come after me (not specialized on ldap), they would be probably more comfortable with a traditional text file than using an ldap browser which just show DNs and attributes. That's may be great to replicate cn=config, but from some mails I red, it seems not so easy. The harder it is to configure, the less people use. Hi all, +1 to not dismiss slapd.conf. Comments are my leading motivation in saying this. In my biggest deployment I used a complex configuration by splitting my conf files in nested subdirectories, mirroring conceptual separation of OpenLDAP components: database(s), overlays related to each database, security, modules, etc... I commented heavily each file and, in this way, I'm able to driver my colleagues on ordinarily activities, without the burden to have each of them become a full time specialist on OpenLDAP, letting me go on holiday more relaxed :-) I commented the rationale of my choices, not only the meaning of the configuration directives. In an office of about 10 unix systems administrators with large heterogeneity of skills and sw products this way has revealed to be an added value. Not to be misunderstood, I like very much the cn=config way. But in my opinion it has to be a must in particular enterprise configurations, in example for bastion slaves used for H24 operational systems, or in situations where a network load balancer (to obtain failover, I mean) in between cannot be used. My 2 cents. Marco
Re: Installation openLDAP in Debian
Olivier Guillard writes: How to survive in operational environnement without comments in files ( nor a way to track change logs btw ) ? I suppose you could put slapd.d/ under version control. After making a change or a set of changes, commit your modified slapd.d/ with your comments in the commit message. Or put comments in other files under slapd.d/. If these filenames do not resemble DNs, e.g. have filetype .txt and no '=' in them, they won't clash with cn=config's filenames. I haven't tried how cumbersome this is/isn't in practice though. -- Hallvard
Re: Installation openLDAP in Debian
On 28/04/2011 12:00, Hallvard B Furuseth wrote: Olivier Guillard writes: How to survive in operational environnement without comments in files ( nor a way to track change logs btw ) ? I suppose you could put slapd.d/ under version control. After making a change or a set of changes, commit your modified slapd.d/ with your comments in the commit message. Or put comments in other files under slapd.d/. If these filenames do not resemble DNs, e.g. have filetype .txt and no '=' in them, they won't clash with cn=config's filenames. I haven't tried how cumbersome this is/isn't in practice though. Apart the fact we were told not to touch slapd.d, this will raise complexity (adding a VCS, finding a way to relate commens to contens, and so on). So now I need more logic, more programs, when I can do everything with just an editor and some text when having a file. Simone -- Simone Piccardi Truelite Srl picca...@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-103243350142 Firenze http://www.truelite.it Tel. +39-055-7879597Fax. +39-055-736
Re: Installation openLDAP in Debian
Apart the fact we were told not to touch slapd.d, this will raise complexity (adding a VCS, finding a way to relate commens to contens, and so on). So now I need more logic, more programs, when I can do everything with just an editor and some text when having a file. I do agree. My thought goes to the fact that it would add a component that rarely I find within my clients. Marco -- _ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
Re: Installation openLDAP in Debian
Simone Piccardi writes: On 28/04/2011 12:00, Hallvard B Furuseth wrote: Olivier Guillard writes: How to survive in operational environnement without comments in files ( nor a way to track change logs btw ) ? I suppose you could put slapd.d/ under version control. After making a change or a set of changes, commit your modified slapd.d/ with your comments in the commit message. Or put comments in other files under slapd.d/. If these filenames do not resemble DNs, e.g. have filetype .txt and no '=' in them, they won't clash with cn=config's filenames. I haven't tried how cumbersome this is/isn't in practice though. Apart the fact we were told not to touch slapd.d, That part is all right, the VCS would simply function as a browseable backup. You'd do the changes over the ldap protocol, then commit the result as-is. Regarding filenames, I think it'd make sense to document that back-config/back-ldif will not touch certain filenames, so the user is officially free to use these for comments etc. However, this will raise complexity (adding a VCS, finding a way to relate commens to contens, and so on). So now I need more logic, more programs, when I can do everything with just an editor and some text when having a file. Yes. I too find slapd.conf significantly superior to cn=config, except for poorer error checking and having to restart slapd. It was just a suggestion if you use cn=config but want comments and change log. slapd.conf is historyless too though, so I'm not sure what you mean with tracking change logs if you did not want something like version control. -- Hallvard
Re: Installation openLDAP in Debian
Hi Hallvard
I suppose you could put slapd.d/ under version control.
Yes, this would respond to the log traking issue, you are right :
after all, this is the same mecanism used to log track slapd.conf
changes. The only objection I would have to that at this stage is
that I'm not sure how I to deal with the {magic-numbrer} present
in some file names that at this stage of my understanding.
Or put comments in other files under slapd.d/
On the other hand, this idea of adding txt files in slapd.d to
record comments sound a bit bizarre to me to be honnest.
---
Olivier
Re: Installation openLDAP in Debian
* Howard Chu h...@symas.com [2011-04-20 21:38]: The tree of files is not meant for you to ever look at or modify directly. Just use slapcat or ldapsearch. If you know anything about LDAP at all this is MUCH easier than editing flat text files, since you can use any LDAP tool (commandline or GUI) to do all the administration. Plain text files are an established (in the *nix world, at least) and universal interface, and easily lend themselfs to configuration management systems, version control, as well as using the power of $EDITOR. So I sure hope existing support for slapd.conf won't be ripped out. Don't force a certain way to deal with configuration changes on everyone just because some use cases may ask for that. -peter
Re: Installation openLDAP in Debian
Howard Chu wrote:
When you know what these things are, cn=config is just another DIT, that
you manage just like every other DIT. The learning curve for cn=config
is shorter than for slapd.conf, because once you learn the essential
elements of LDAP, you also know all the essentials for configuring
slapd. Otherwise, you have to learn LDAP + LDIF + slapd.conf syntax,
which history has shown practically everybody gets *wrong*. The web is
full of bogus slapd.conf examples with directives scattered all over the
place, instead of in their proper order and location. (...)
That seems to me a similarity with slapd.conf, not a difference. Now
people are getting cn=config wrong. Cutpaste which includes the magic
{numbers} they do not know what is, getting a BDB database number {0}.
Editing the cn=config tree directly, that's a fairly obvious thing to.
After all, why go via some tool once you've already written your LDIF?
The latter is fixable by switching cn=config to use a back-ber with
binary files and no RDN-like filenames, if we really never should edit
cn=config.
--
Hallvard
Re: Installation openLDAP in Debian
2011/4/22 Simone Piccardi picca...@truelite.it
Il 21/04/2011 11:05, Howard Chu ha scritto:
If you don't understand LDAP and LDIF then you cannot effectively
administer an LDAP server. Period. There is no chicken and egg here -
you must understand LDAP. You must know what DIT means. You must know
what a DN is. You must know what a schema is. You must know what an
attribute is. There is no bypassing this required knowledge.
When you know what these things are, cn=config is just another DIT, that
you manage just like every other DIT. The learning curve for cn=config
is shorter than for slapd.conf, because once you learn the essential
elements of LDAP, you also know all the essentials for configuring
slapd. Otherwise, you have to learn LDAP + LDIF + slapd.conf syntax,
which history has shown practically everybody gets *wrong*. The web is
full of bogus slapd.conf examples with directives scattered all over the
place, instead of in their proper order and location. Our ITS is
frequently littered with such junk, configs created by people who
hastily copy/pasted something they read from some howto somewhere,
without understanding what they were really doing.
Sorry but I cannot agree to this. Using cn=config, at least for now, is
far more complex. Saying that's just another DIT is misleading.
To understand configuration you need to understand what that DIT
contents means, and the syntax you have to use for it. So you have to
learn LDAP + LDIF + cn=config syntax.
And as far I can see the cn=config syntax is far more complex than the
one of slapd.conf.
Probably I'm stupid but still I see as very hard to read all that {N}
placed all around that you need to use as special values for DN's, and
the same is for all those olcSomeThing attributes and those olcSomeClass
objectclass that you have to use.
So something like:
slapadd -n0
dn: cn=config
objectClass: olcGlobal
cn: config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootPW: MySecretPassword
EOF
for me is not easier to understand than saying change the rootpw line on
the database stanza of your slapd.conf.
And sorry, probably its a bad habit, but I'm used to put comments in my
configurations files, and I cannot see how I can do this here.
Regards
Simone
I completely agree. As I said, a little statistic to understand what people
use could be interesting. For me comments and a text file config is
mandatory. I am not configuring mysql.cnf using a mysql database. As it has
been said before, once your setup is done, you barely change it. And a
little restart is not a problem using replicas.
If some colleagues come after me (not specialized on ldap), they would be
probably more comfortable with a traditional text file than using an ldap
browser which just show DNs and attributes.
That's may be great to replicate cn=config, but from some mails I red, it
seems not so easy. The harder it is to configure, the less people use.
Dom
--
Dominique LALOT
Ingénieur Systèmes et Réseaux
http://annuaire.univmed.fr/showuser.php?uid=lalot
Re: Installation openLDAP in Debian
I completely agree. As I said, a little statistic to understand what people use could be interesting. For me comments and a text file config is mandatory. I am not configuring mysql.cnf using a mysql database. As it has been said before, once your setup is done, you barely change it. And a little restart is not a problem using replicas. If some colleagues come after me (not specialized on ldap), they would be probably more comfortable with a traditional text file than using an ldap browser which just show DNs and attributes. That's may be great to replicate cn=config, but from some mails I red, it seems not so easy. The harder it is to configure, the less people use. Hi all, +1 to not dismiss slapd.conf. Comments are my leading motivation in saying this. In my biggest deployment I used a complex configuration by splitting my conf files in nested subdirectories, mirroring conceptual separation of OpenLDAP components: database(s), overlays related to each database, security, modules, etc... I commented heavily each file and, in this way, I'm able to driver my colleagues on ordinarily activities, without the burden to have each of them become a full time specialist on OpenLDAP, letting me go on holiday more relaxed :-) I commented the rationale of my choices, not only the meaning of the configuration directives. In an office of about 10 unix systems administrators with large heterogeneity of skills and sw products this way has revealed to be an added value. Not to be misunderstood, I like very much the cn=config way. But in my opinion it has to be a must in particular enterprise configurations, in example for bastion slaves used for H24 operational systems, or in situations where a network load balancer (to obtain failover, I mean) in between cannot be used. My 2 cents. Marco
Re: Installation openLDAP in Debian
Howard Chu wrote: Michael Ströder wrote: Howard Chu wrote: If you don't understand LDAP and LDIF then you cannot effectively administer an LDAP server. Period. There is no chicken and egg here - you must understand LDAP. You must know what DIT means. You must know what a DN is. You must know what a schema is. You must know what an attribute is. There is no bypassing this required knowledge. I'd say I understand LDAP and LDIF etc. but still I'm in favour using slapd.conf and only use cn=config in the *rare* cases where dynamic configuration is really needed. When you know what these things are, cn=config is just another DIT, that you manage just like every other DIT. Especially the schema design of OpenLDAP's cn=config is more complicated than it should be. Look at other LDAP server implementations and you'll see how easy it is to tweak cn=config with a generic, schema-aware LDAP client. That's not so easy with OpenLDAP's cn=config. Since you're being so vague it's difficult to address your point. E.g. the proprietary X-ORDERED stuff prevents clients from doing things easily. It feels like using the text editor while not being as flexible like a text editor. However, one thing is clear - you can manage everything using just the ldapmodify command line tool, that's a simple fact. Yes. But I prefer to use a comfortable text editor. So from what I can see, either your clients are inferior to a command line tool or you're just using them wrong. Being the author of web2ldap I claim having thought about how LDAP clients should be designed quite a lot. So indeed I take this as personal offense. Ciao, Michael.
Re: Installation openLDAP in Debian
Hello Howard, Nothing else to discuss? When I started a long time ago, the learning edge was a little bit easier, as to start your configuration you don't need to use ldap tools. You know the problem of chicken and eggs. On other ldap servers, software comes with a GUI to configure. If you don't do that and you get rid of slapd.conf I imagine that lots of beginners will try some other solutions than OpenLDAP and that would be a pity. And a configuration tool can help to glue the dependences between directives. It's harder and harder to understand what to put, where, and the side effects. I was just playing around with ProxyAuth, using directives, slaptest OK, but I am not using SASL which should be (after a day to test) something required. But my slaptest is OK.. Another example: We have several independant for the moment databases that are glued together. That's not the same config and we need to have an acl part with limits and rights. If I do that with cn=config, I have to write an ldap programm to add, modify, delete attributes. Using an include acl.conf in slapd.conf, just rsync acl.conf and restart. And the comments in slapd.conf are very usefull. Please do not remove slapd.conf or add a configure tool. Dom 2011/4/21 Howard Chu h...@symas.com Jose Ildefonso Camargo Tolosa wrote: On Wed, Apr 20, 2011 at 4:18 PM, Howard Chuh...@symas.com wrote: Jose Ildefonso Camargo Tolosa wrote: On Wed, Apr 20, 2011 at 2:53 PM, Howard Chuh...@symas.comwrote: The tree of files is not meant for you to ever look at or modify directly. Just use slapcat or ldapsearch. If you know anything about LDAP at all this is MUCH easier than editing flat text files, since you can use any LDAP tool (commandline or GUI) to do all the administration. I don't find complex to directly modify the files, actually, I find it easier than having to write a ldif modification script every time I need to apply a change! I just go ahead and edit the corresponding ldif file on slapd.d You are editing the backing store of a slapd internal database. If slapd is running while you're doing this, you will probably corrupt the database. Even if slapd is not running, you'll probably corrupt the database. Ok, I'll fall for this: how in the world can I corrupt a text (ldif) file? I have done that for quite some time, and I have never had a single issue with it. Off course, I need to restart slapd to make it use my changes, but it is not big deal on my environment (for other environments, you can use ldapmodify (or similar) and make changes on the fly). There are many possibilities. The most obvious is leaving random whitespace at the end of a line, which frequently trips up people who manually edit flat text files. I won't go into the other possibilities because frankly, it's an internal implementation detail and not worth mentioning. Suffice to say, if you're not going to take the word of the programmer who designed and implemented all of this that editing by hand is prone to corruption, then we have nothing further to discuss. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -- Dominique LALOT Ingénieur Systèmes et Réseaux http://annuaire.univmed.fr/showuser.php?uid=lalot
Re: Installation openLDAP in Debian
Hi Howard, The directory structure under slapd.d is private/internal to slapd. Forget it is even there. As far as you're concerned, it does not even exist. Could you please concretly explain how you let say tune or add rootdse operational attributes imediatly after having installed a fresh openldap2.4 distribution without editing files ? more simple : How you define or change the rootpw still without editing files ? --- Olivier On Wed, Apr 20, 2011 at 10:38 PM, Howard Chu h...@symas.com wrote: Jose Ildefonso Camargo Tolosa wrote: Resending on-list. Well, I actually got used to cn=config pretty quickly, nevertheless, I still find easier to understand and modify the slapd.conf file than the directory structure under slapd.d... it is definitely more complex (and I don't think it is easier to modify using a LDAP administration tool). The directory structure under slapd.d is private/internal to slapd. Forget it is even there. As far as you're concerned, it does not even exist. The only thing you should ever look at is the LDAP DIT, whether returned by slapcat, ldapsearch, or your LDAP GUI browser of choice. The cn=config replication suggested on the docs becomes useless when you need to use TLS, because, AFAIK, we don't have a way of having different TLS parameters for each replica (and, on a multi-master setup, you will likely have different servers, with different names, and thus: different SSL certificate). Actually no, every syncrepl directive can have its own unique set of TLS parameters. And anyway, usually all of the servers communicating with each other at a site will have the same security requirements and thus the same TLS parameters. The actual certificates might be different, but since they (currently) live in the filesystem there's no need to reflect that difference in the slapd configuration. E.g., every server can point to /etc/ssl/my-server-cert.pem and that file can be unique to each server. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Installation openLDAP in Debian
LALOT Dominique wrote: Hello Howard, Nothing else to discuss? When I started a long time ago, the learning edge was a little bit easier, as to start your configuration you don't need to use ldap tools. You know the problem of chicken and eggs. If you don't understand LDAP and LDIF then you cannot effectively administer an LDAP server. Period. There is no chicken and egg here - you must understand LDAP. You must know what DIT means. You must know what a DN is. You must know what a schema is. You must know what an attribute is. There is no bypassing this required knowledge. When you know what these things are, cn=config is just another DIT, that you manage just like every other DIT. The learning curve for cn=config is shorter than for slapd.conf, because once you learn the essential elements of LDAP, you also know all the essentials for configuring slapd. Otherwise, you have to learn LDAP + LDIF + slapd.conf syntax, which history has shown practically everybody gets *wrong*. The web is full of bogus slapd.conf examples with directives scattered all over the place, instead of in their proper order and location. Our ITS is frequently littered with such junk, configs created by people who hastily copy/pasted something they read from some howto somewhere, without understanding what they were really doing. On other ldap servers, software comes with a GUI to configure. If you don't do that and you get rid of slapd.conf I imagine that lots of beginners will try some other solutions than OpenLDAP and that would be a pity. There will always be misguided beginners, that's life. If they use inferior solutions, they'll either learn, or not. I'm not interested in gaining the users who don't learn. And a configuration tool can help to glue the dependences between directives. It's harder and harder to understand what to put, where, and the side effects. I was just playing around with ProxyAuth, using directives, slaptest OK, but I am not using SASL which should be (after a day to test) something required. But my slaptest is OK.. Your slaptest is OK because there was no broken dependency. ProxyAuth doesn't require SASL. Whoever told you so was wrong. (They overlooked the ProxyAuthz control, which is independent of SASL.) The fact that directives are clustered into discrete entries makes it *easier* to understand what dependencies exist. The dependencies always existed, even with slapd.conf, but in slapd.conf they were mostly invisible. They were mentioned in the slapd.conf(5) manpage but again, history shows that the majority of admins ignore this. Another example: We have several independant for the moment databases that are glued together. That's not the same config and we need to have an acl part with limits and rights. If I do that with cn=config, I have to write an ldap programm to add, modify, delete attributes. The LDAP *programs* already exist. Using an include acl.conf in slapd.conf, just rsync acl.conf and restart. Production LDAP sites that we deal with cannot afford to have slapd down, no matter how brief a restart may be. If your site can tolerate that, perhaps you should use one of those other solutions you alluded to, instead of OpenLDAP. In my experience they have quite frequent downtime, so that might be more comfortable and familiar for you. For us, we ldapmodify an ACL here or there on a central server and it replicates automatically to other servers. No need for rsync or any other tools with their separate authentication/security requirements. You sound like a horse-and-buggy coachman protesting the introduction of the automobile. And the comments in slapd.conf are very usefull. Please do not remove slapd.conf or add a configure tool. Any LDAP client can be used to operate on cn=config. You're asking for a screwdriver when you've already been given a Swiss Army knife. A dedicated configure tool would partly defeat the purpose of cn=config. 1) it would have its own separate learning curve 2) admins would become dependent on it, and would be helpless when it fails One need only look at SunDSEE/RedHatDS/FedoraDS and see how lost their sysadmins are when their AdminServer crashes (as it invariably does), despite the fact that their config engine is also exposed as an LDAP DIT. Their docs always encourage admins to just use the GUI, and so the admins never learn what the underlying controlling attributes actually are. They spend more time trying to figure out what part of their desktop graphics environment needs to be tweaked *this* time, to get the adminserver running again, than they would ever actually spend dealing with LDAP itself. For the sites we deal with, the sysadmins tell us how grateful they are that they can do all their admin tasks using simple shell scripts. GUIs just get in their way, and the vendors pushing the GUIs seem to make a point of obscuring what actually goes on underneath. If you cannot live
Re: Installation openLDAP in Debian
Olivier wrote:
Hi Howard,
The directory structure under slapd.d is private/internal to slapd.
Forget it is even there. As far as you're concerned, it does not even exist.
Could you please concretly explain how you let say tune or add
rootdse operational attributes imediatly after having installed
a fresh openldap2.4 distribution without editing files ?
On a fresh installation that has not yet been configured:
slapadd -n0
dn: cn=config
cn: config
objectclass: olcglobal
olcRootDSE: /some/text/file
EOF
more simple : How you define or change the rootpw still without
editing files ?
slapadd -n0
dn: cn=config
objectClass: olcGlobal
cn: config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootPW: MySecretPassword
EOF
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Installation openLDAP in Debian
On 20/04/2011 22:38, Howard Chu wrote: Jose Ildefonso Camargo Tolosa wrote: Resending on-list. Well, I actually got used to cn=config pretty quickly, nevertheless, I still find easier to understand and modify the slapd.conf file than the directory structure under slapd.d... it is definitely more complex (and I don't think it is easier to modify using a LDAP administration tool). The directory structure under slapd.d is private/internal to slapd. Forget it is even there. As far as you're concerned, it does not even exist. The only thing you should ever look at is the LDAP DIT, whether returned by slapcat, ldapsearch, or your LDAP GUI browser of choice. That's really bad news. Sorry, probably I'm just an old style Unix admin, but I don't like at all to be forced to use any kind of program different from an editor to do a server configuration. That's a major strenght of an Unix system, and giving it away is very bad. I understand that in some case it will be needed, what I don't agree is forcing this choice for all the cases. Regards Simone
Re: Installation openLDAP in Debian
Olivier Guillard wrote: On a fresh installation that has not yet been configured: ... Thanks howard, it helps. For other readers I add this found in the slapadd doc : LIMITATIONS Your slapd(8) should not be running when you do this to ensure consis‐ tency of the database. Something I have to test : What happens if you attempt to add an entry or change an attribute that already exists using slapadd (I suspect that the old entry is replaced). No, that is not the meaning of add. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Installation openLDAP in Debian
On 21/04/11 02:05 -0700, Howard Chu wrote: Your slaptest is OK because there was no broken dependency. ProxyAuth doesn't require SASL. Whoever told you so was wrong. (They overlooked the ProxyAuthz control, which is independent of SASL.) That was my mistake. ~$ ldapsearch -LLL -x -H ldap://ldap.example.org -s base -b supportedControl dn: supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 ~$ ldapwhoami -x -D 'uid=cy...@example.org,ou=people,dc=example,dc=org' \ -H ldap://ldap.example.org \ -e '!authzid=dn:uid=test1...@example.org,ou=people,dc=example,dc=org' -W Enter LDAP Password: dn:uid=test1...@example.org,ou=people,dc=example,dc=org -- Dan White
Re: Installation openLDAP in Debian
On 04/21/2011 12:19 PM, piccardi wrote: On 20/04/2011 22:38, Howard Chu wrote: Jose Ildefonso Camargo Tolosa wrote: Resending on-list. Well, I actually got used to cn=config pretty quickly, nevertheless, I still find easier to understand and modify the slapd.conf file than the directory structure under slapd.d... it is definitely more complex (and I don't think it is easier to modify using a LDAP administration tool). The directory structure under slapd.d is private/internal to slapd. Forget it is even there. As far as you're concerned, it does not even exist. The only thing you should ever look at is the LDAP DIT, whether returned by slapcat, ldapsearch, or your LDAP GUI browser of choice. That's really bad news. Sorry, probably I'm just an old style Unix admin, but I don't like at all to be forced to use any kind of program different from an editor to do a server configuration. That's a major strenght of an Unix system, and giving it away is very bad. I understand that in some case it will be needed, what I don't agree is forcing this choice for all the cases. Regards Simone Hi, The script ldapedit mentioned earlier open up entries in your editor of choice. I personally use this fine little ldap editor with vi's basic syntax: http://www.lichteblau.com/ldapvi/ It is very configurable, has a small footprint, few dependencies and let you add, modify all your ldap entries. Regards François
Re: Installation openLDAP in Debian
No, that is not the meaning of add. In that case, how can you change olcRootPW: MySecretPassword If it already exists but you want to change it ? --- Olivier
Re: Installation openLDAP in Debian
On Thu, Apr 21, 2011 at 12:05 AM, Howard Chu h...@symas.com wrote: There are many possibilities. The most obvious is leaving random whitespace at the end of a line, which frequently trips up people who manually edit flat text files. I won't go into the other possibilities because frankly, it's an internal implementation detail and not worth mentioning. Suffice to say, if you're not going to take the word of the programmer who designed and implemented all of this that editing by hand is prone to corruption, then we have nothing further to discuss. Howard, I *know* who you are, I am not new to OpenLDAP. So, please, take no offense, we are having just a discussion. Still, I'm yet to see any of my servers being corrupted by me editing the cn=config files directly! (well, it is also me... I *know* several admins that totally screwed config files, but I have been on the UNIX world for ~16 years, so, maybe I'm used to really tight files formatting) also, because these are LDIFs, these actually yell to be edited by hand! (you should add an ominous warning to the docs, stating that you should not edit those files directly, for x, y, or z reason). Now, someone actually had a point here: is there a way to add *comments* to cn=config configuration? The fact that I never asked that question points something out: I'm actually not a big fan of comments, but there are people who like them a lot. Howard: really, we are here arguing with you, because we actually like this work, and believe it can become even better than it is! Ildefonso.
Re: Installation openLDAP in Debian
On Thu, Apr 21, 2011 at 11:47 AM, Olivier Guillard oliv...@guillard.nom.fr wrote: No, that is not the meaning of add. In that case, how can you change olcRootPW: MySecretPassword If you forgot your rootdn pass, and have no other user that with write privileges to cn=config, I guess you would need to slapcat your config, edit it, delete old config, and reload with slapadd. Or... take the risk and just edit the file by hand. Ildefonso.
Re: Installation openLDAP in Debian
--On April 21, 2011 6:19:20 PM +0200 Olivier l...@guillard.nom.fr wrote: No, that is not the meaning of add. In that case, how can you change olcRootPW: MySecretPassword If it already exists but you want to change it ? With an ldap modify operation, the same way you do any other type of modification to LDAP. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: Installation openLDAP in Debian
2011/4/21 Jose Ildefonso Camargo Tolosa ildefonso.cama...@gmail.com: On Thu, Apr 21, 2011 at 11:47 AM, Olivier Guillard oliv...@guillard.nom.fr wrote: No, that is not the meaning of add. In that case, how can you change olcRootPW: MySecretPassword If you forgot your rootdn pass, and have no other user that with write privileges to cn=config, I guess you would need to slapcat your config, edit it, delete old config, and reload with slapadd. Or... take the risk and just edit the file by hand. Or use the ldapi:// URI, with EXTERNAL SASL mechanism, and correct ACL. -- Erwann.
Re: Installation openLDAP in Debian
On Thu, Apr 21, 2011 at 12:32 PM, Erwann ABALEA eaba...@gmail.com wrote: 2011/4/21 Jose Ildefonso Camargo Tolosa ildefonso.cama...@gmail.com: On Thu, Apr 21, 2011 at 11:47 AM, Olivier Guillard oliv...@guillard.nom.fr wrote: No, that is not the meaning of add. In that case, how can you change olcRootPW: MySecretPassword If you forgot your rootdn pass, and have no other user that with write privileges to cn=config, I guess you would need to slapcat your config, edit it, delete old config, and reload with slapadd. Or... take the risk and just edit the file by hand. Or use the ldapi:// URI, with EXTERNAL SASL mechanism, and correct ACL. Ok can you elaborate? if you can do this, I feel that this is almost a security problem (where you can bypass LDAP authentication by using an external auth that was not previously configured on the directory).
Re: Installation openLDAP in Debian
2011/4/21 Jose Ildefonso Camargo Tolosa ildefonso.cama...@gmail.com:
[...]
Or use the ldapi:// URI, with EXTERNAL SASL mechanism, and correct ACL.
Ok can you elaborate? if you can do this, I feel that this is
almost a security problem (where you can bypass LDAP authentication by
using an external auth that was not previously configured on the
directory).
On my Debian server, the default openldap installation has this only
ACL defined for cn=config:
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage break
And I can access it by connecting as root *on the same server*, and
using ldap* tools like this:
ldapsearch -H ldapi:/// -Y EXTERNAL -b cn=config
This is to be used at the very start of the installation. I use it to
create a user, and add an ACL with this user to allow me to access the
directory from outside (and have some graphical tool if they can make
admin tasks easier).
--
Erwann.
Re: Installation openLDAP in Debian
On Thu, Apr 21, 2011 at 1:02 PM, Erwann ABALEA eaba...@gmail.com wrote:
2011/4/21 Jose Ildefonso Camargo Tolosa ildefonso.cama...@gmail.com:
[...]
Or use the ldapi:// URI, with EXTERNAL SASL mechanism, and correct ACL.
Ok can you elaborate? if you can do this, I feel that this is
almost a security problem (where you can bypass LDAP authentication by
using an external auth that was not previously configured on the
directory).
On my Debian server, the default openldap installation has this only
ACL defined for cn=config:
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage break
Ok, due that I just took my old slapd.conf and converted with
slaptest, I was not aware of that default config. Now, lets say that
you changed the config, and that you had the rootdn, and that ACL was
not there, in that case: you can't use the SASL external, right?
And I can access it by connecting as root *on the same server*, and
using ldap* tools like this:
ldapsearch -H ldapi:/// -Y EXTERNAL -b cn=config
This is to be used at the very start of the installation. I use it to
create a user, and add an ACL with this user to allow me to access the
directory from outside (and have some graphical tool if they can make
admin tasks easier).
--
Erwann.
Re: Installation openLDAP in Debian
2011/4/21 Jose Ildefonso Camargo Tolosa ildefonso.cama...@gmail.com:
On Thu, Apr 21, 2011 at 1:02 PM, Erwann ABALEA eaba...@gmail.com wrote:
2011/4/21 Jose Ildefonso Camargo Tolosa ildefonso.cama...@gmail.com:
[...]
Or use the ldapi:// URI, with EXTERNAL SASL mechanism, and correct ACL.
Ok can you elaborate? if you can do this, I feel that this is
almost a security problem (where you can bypass LDAP authentication by
using an external auth that was not previously configured on the
directory).
On my Debian server, the default openldap installation has this only
ACL defined for cn=config:
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage break
Ok, due that I just took my old slapd.conf and converted with
slaptest, I was not aware of that default config. Now, lets say that
you changed the config, and that you had the rootdn, and that ACL was
not there, in that case: you can't use the SASL external, right?
Right. If you lose your password, and have no other way to authentify
to your LDAP server, you're screwed.
Just give you a second chance, by adding this ACL.
Of course, if you lose the ability to become root on this server, then
you don't have access to the server anymore. Evident.
In the end, if really you don't have any way to authentify, then yes,
that's a disaster, and in case of disasters, big measures need to be
taken. Stop slapd, slapcat -n 0, edit the file, delete the content
of slapd.d directory, slapadd -n 0. I guess.
--
Erwann.
Re: Installation openLDAP in Debian
Howard Chu wrote: If you don't understand LDAP and LDIF then you cannot effectively administer an LDAP server. Period. There is no chicken and egg here - you must understand LDAP. You must know what DIT means. You must know what a DN is. You must know what a schema is. You must know what an attribute is. There is no bypassing this required knowledge. I'd say I understand LDAP and LDIF etc. but still I'm in favour using slapd.conf and only use cn=config in the *rare* cases where dynamic configuration is really needed. When you know what these things are, cn=config is just another DIT, that you manage just like every other DIT. Especially the schema design of OpenLDAP's cn=config is more complicated than it should be. Look at other LDAP server implementations and you'll see how easy it is to tweak cn=config with a generic, schema-aware LDAP client. That's not so easy with OpenLDAP's cn=config. Ciao, Michael.
Re: Installation openLDAP in Debian
Jose Ildefonso Camargo Tolosa wrote: On Thu, Apr 21, 2011 at 12:05 AM, Howard Chuh...@symas.com wrote: There are many possibilities. The most obvious is leaving random whitespace at the end of a line, which frequently trips up people who manually edit flat text files. I won't go into the other possibilities because frankly, it's an internal implementation detail and not worth mentioning. Suffice to say, if you're not going to take the word of the programmer who designed and implemented all of this that editing by hand is prone to corruption, then we have nothing further to discuss. Howard, I *know* who you are, I am not new to OpenLDAP. So, please, take no offense, we are having just a discussion. We are having a *STUPID* discussion. The man who knows this field has just told you it is full of landmines, and if you tread on it you will blow your foot off. You are arguing that it hasn't happened yet so therefore it must be perfectly safe. If you were sitting in front of me right now I would ask you to give me some money, because you are clearly a fool. Still, I'm yet to see any of my servers being corrupted by me editing the cn=config files directly! (well, it is also me... I *know* several admins that totally screwed config files, but I have been on the UNIX world for ~16 years, so, maybe I'm used to really tight files formatting) also, because these are LDIFs, these actually yell to be edited by hand! (you should add an ominous warning to the docs, stating that you should not edit those files directly, for x, y, or z reason). It is not my responsibility to tell you exactly where each landmine is. I have told you they exist; for a wise man that is enough. If you wish to seek out exactly where they lie, fine, spend your own time on that. It's certainly not a good use of my time. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Installation openLDAP in Debian
Michael Ströder wrote: Howard Chu wrote: If you don't understand LDAP and LDIF then you cannot effectively administer an LDAP server. Period. There is no chicken and egg here - you must understand LDAP. You must know what DIT means. You must know what a DN is. You must know what a schema is. You must know what an attribute is. There is no bypassing this required knowledge. I'd say I understand LDAP and LDIF etc. but still I'm in favour using slapd.conf and only use cn=config in the *rare* cases where dynamic configuration is really needed. When you know what these things are, cn=config is just another DIT, that you manage just like every other DIT. Especially the schema design of OpenLDAP's cn=config is more complicated than it should be. Look at other LDAP server implementations and you'll see how easy it is to tweak cn=config with a generic, schema-aware LDAP client. That's not so easy with OpenLDAP's cn=config. Since you're being so vague it's difficult to address your point. However, one thing is clear - you can manage everything using just the ldapmodify command line tool, that's a simple fact. So from what I can see, either your clients are inferior to a command line tool or you're just using them wrong. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Installation openLDAP in Debian
Hi! On Thu, Apr 21, 2011 at 3:42 PM, Howard Chu h...@symas.com wrote: Jose Ildefonso Camargo Tolosa wrote: On Thu, Apr 21, 2011 at 12:05 AM, Howard Chuh...@symas.com wrote: There are many possibilities. The most obvious is leaving random whitespace at the end of a line, which frequently trips up people who manually edit flat text files. I won't go into the other possibilities because frankly, it's an internal implementation detail and not worth mentioning. Suffice to say, if you're not going to take the word of the programmer who designed and implemented all of this that editing by hand is prone to corruption, then we have nothing further to discuss. Howard, I *know* who you are, I am not new to OpenLDAP. So, please, take no offense, we are having just a discussion. We are having a *STUPID* discussion. The man who knows this field has just told you it is full of landmines, and if you tread on it you will blow your foot off. You are arguing that it hasn't happened yet so therefore it must be perfectly safe. If you were sitting in front of me right now I would ask you to give me some money, because you are clearly a fool. I *never* said it is safe, I just said that it has never failed for me (in my own, personal, experience), on the other side: it is very uncommon for me to be tweaking the configs after the server is up, I could say that I update the configs once a year or less! Still, I'm yet to see any of my servers being corrupted by me editing the cn=config files directly! (well, it is also me... I *know* several admins that totally screwed config files, but I have been on the UNIX world for ~16 years, so, maybe I'm used to really tight files formatting) also, because these are LDIFs, these actually yell to be edited by hand! (you should add an ominous warning to the docs, stating that you should not edit those files directly, for x, y, or z reason). It is not my responsibility to tell you exactly where each landmine is. I have told you they exist; for a wise man that is enough. If you wish to seek out exactly where they lie, fine, spend your own time on that. It's certainly not a good use of my time. Yet, the ominous warning on the docs would be good, maybe here? http://www.openldap.org/doc/admin24/slapdconf2.html As I said: the slapd.d directory structure is actually a bunch of ldif files, that you may think can directly edit! and, according to what you say: it can actually be a very bad idea! so, a warning on the docs would be wise (I don't think I can edit the docs, so, I can't add the warning myself). Ildefonso.
Installation openLDAP in Debian
Hi, I tried to install openLDAP in my debian 6.0.1 Squeeze but I got problem as there is no slapd.conf inside /etc/ldap/ directory. Is there any easy process for installation and configuration for beginners. regards, -- Dambar Raj Paudel (Wireless Technology - Researcher) WAKHOK University, Wakkanai, Japan Skype: drpaudel
Re: Installation openLDAP in Debian
--On Wednesday, April 20, 2011 6:51 PM +0900 D. R. Paudel rajme...@gmail.com wrote: Hi, I tried to install openLDAP in my debian 6.0.1 Squeeze but I got problem as there is no slapd.conf inside /etc/ldap/ directory. Is there any easy process for installation and configuration for beginners. Modern OpenLDAP does not use slapd.conf. Please read the OpenLDAP Admin guide. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Installation openLDAP in Debian
Hi! it no longer uses slapd.conf by default, it uses cn=config . It is on /etc/ldap/slapd.d/ Debian will leave you with a working directory (even thought not optimal, but you will be able to use it). If you can be more specific on what you want to do, just let us know! If you are used to configure with slapd.conf, you can actually use that configuration too, or you can convert your slapd.conf configuration into cn=config with slaptest (check the docs!). Ildefonso Camargo On Wed, Apr 20, 2011 at 5:21 AM, D. R. Paudel rajme...@gmail.com wrote: Hi, I tried to install openLDAP in my debian 6.0.1 Squeeze but I got problem as there is no slapd.conf inside /etc/ldap/ directory. Is there any easy process for installation and configuration for beginners. regards, -- Dambar Raj Paudel (Wireless Technology - Researcher) WAKHOK University, Wakkanai, Japan Skype: drpaudel
Re: Installation openLDAP in Debian
On Wed, Apr 20, 2011 at 10:53 AM, Quanah Gibson-Mount qua...@zimbra.com wrote: --On Wednesday, April 20, 2011 6:51 PM +0900 D. R. Paudel rajme...@gmail.com wrote: Hi, I tried to install openLDAP in my debian 6.0.1 Squeeze but I got problem as there is no slapd.conf inside /etc/ldap/ directory. Is there any easy process for installation and configuration for beginners. Modern OpenLDAP does not use slapd.conf. Please read the OpenLDAP Admin guide. Quanah: actually, documentation is not yet complete for cn=config, I had to actually convert my slapd.conf to cn=config using slaptest in order to find out how to do the same I had on slapd.conf on cn=config. Ildefonso --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Installation openLDAP in Debian
On 20/04/2011 17:30, Jose Ildefonso Camargo Tolosa wrote: Hi! it no longer uses slapd.conf by default, it uses cn=config . It is on /etc/ldap/slapd.d/ Debian will leave you with a working directory (even thought not optimal, but you will be able to use it). If you can be more specific on what you want to do, just let us know! If you are used to configure with slapd.conf, you can actually use that configuration too, or you can convert your slapd.conf configuration into cn=config with slaptest (check the docs!). Ildefonso Camargo That's the way I'm using it. And I suggest to anyone not needing to modify configurations on the fly to use it that way. Because apart the missing documentation, I found difficult having to deal with the obscure attribute names and the complex directory structure (and the not so explicative file names used under it) that I found in /etc/ldap/slapd.d/. I understand the needs for cn=config, but for the moment I don't need it. Having a file with a simple syntax that I can read and modify instead of a tree of LDIF files is far more convenient for me. So I hope that slapd.conf will remain supported. Simone -- Simone Piccardi Truelite Srl picca...@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-103243350142 Firenze http://www.truelite.it Tel. +39-055-7879597Fax. +39-055-736
Re: Installation openLDAP in Debian
Hello, It's so easy to use a single slap.conf text file, edit thorugh vi, then restart. Rsyncing include parts of slapd.conf between servers. Don't need an ldap browser to see it, can add comments easily. All my colleagues are still working with.I would change my opinion if there was a maintained official web interface to administrate the server. You shoud put a doodle to ask openldap admins. Are you using slapd.d Are you using sasl Are you using kerberos Are you using multi-master mode May be you will be surprised, may be me.. Dom PS: anyway, I would like to thank the developers for their good job. Don't take my opinons as regrets of using OpenLDAP. I am stil an happy OpenLDAP user since 2001 2011/4/20 Jose Ildefonso Camargo Tolosa ildefonso.cama...@gmail.com On Wed, Apr 20, 2011 at 10:53 AM, Quanah Gibson-Mount qua...@zimbra.com wrote: --On Wednesday, April 20, 2011 6:51 PM +0900 D. R. Paudel rajme...@gmail.com wrote: Hi, I tried to install openLDAP in my debian 6.0.1 Squeeze but I got problem as there is no slapd.conf inside /etc/ldap/ directory. Is there any easy process for installation and configuration for beginners. Modern OpenLDAP does not use slapd.conf. Please read the OpenLDAP Admin guide. Quanah: actually, documentation is not yet complete for cn=config, I had to actually convert my slapd.conf to cn=config using slaptest in order to find out how to do the same I had on slapd.conf on cn=config. Ildefonso --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- Dominique LALOT Ingénieur Systèmes et Réseaux http://annuaire.univmed.fr/showuser.php?uid=lalot
Re: Installation openLDAP in Debian
On Apr 20, 2011, at 11:04 AM, Simone Piccardi picca...@truelite.it wrote: On 20/04/2011 17:30, Jose Ildefonso Camargo Tolosa wrote: Hi! it no longer uses slapd.conf by default, it uses cn=config . It is on /etc/ldap/slapd.d/ Debian will leave you with a working directory (even thought not optimal, but you will be able to use it). If you can be more specific on what you want to do, just let us know! If you are used to configure with slapd.conf, you can actually use that configuration too, or you can convert your slapd.conf configuration into cn=config with slaptest (check the docs!). Ildefonso Camargo That's the way I'm using it. And I suggest to anyone not needing to modify configurations on the fly to use it that way. Because apart the missing documentation, I found difficult having to deal with the obscure attribute names and the complex directory structure (and the not so explicative file names used under it) that I found in /etc/ldap/slapd.d/. I understand the needs for cn=config, but for the moment I don't need it. Having a file with a simple syntax that I can read and modify instead of a tree of LDIF files is far more convenient for me. So I hope that slapd.conf will remain supported. It will not remain supported. I highly advise getting used to the new configuration. It may take a little time but it is far superior and quite frankly not that difficult. Remember too that you are free to help contribute documentation. --Quanah
Re: Installation openLDAP in Debian
Simone Piccardi wrote: On 20/04/2011 17:30, Jose Ildefonso Camargo Tolosa wrote: Hi! it no longer uses slapd.conf by default, it uses cn=config . It is on /etc/ldap/slapd.d/ Debian will leave you with a working directory (even thought not optimal, but you will be able to use it). If you can be more specific on what you want to do, just let us know! If you are used to configure with slapd.conf, you can actually use that configuration too, or you can convert your slapd.conf configuration into cn=config with slaptest (check the docs!). Ildefonso Camargo That's the way I'm using it. And I suggest to anyone not needing to modify configurations on the fly to use it that way. Because apart the missing documentation, I found difficult having to deal with the obscure attribute names and the complex directory structure (and the not so explicative file names used under it) that I found in /etc/ldap/slapd.d/. I understand the needs for cn=config, but for the moment I don't need it. Having a file with a simple syntax that I can read and modify instead of a tree of LDIF files is far more convenient for me. So I hope that slapd.conf will remain supported. The tree of files is not meant for you to ever look at or modify directly. Just use slapcat or ldapsearch. If you know anything about LDAP at all this is MUCH easier than editing flat text files, since you can use any LDAP tool (commandline or GUI) to do all the administration. If you think the tree structure is confusing, then you obviously have not read the Admin Guide, which clearly outlines the structure. http://www.openldap.org/doc/admin24/slapdconf2.html#Configuration%20Layout If you don't read the documentation you have only yourself to blame for being confused. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Installation openLDAP in Debian
Resending on-list. On Wed, Apr 20, 2011 at 1:33 PM, Simone Piccardi picca...@truelite.it wrote: On 20/04/2011 17:42, Jose Ildefonso Camargo Tolosa wrote: Modern OpenLDAP does not use slapd.conf. Please read the OpenLDAP Admin guide. Quanah: actually, documentation is not yet complete for cn=config, I had to actually convert my slapd.conf to cn=config using slaptest in order to find out how to do the same I had on slapd.conf on cn=config. Ildefonso That's the way I'm using it. And I suggest to anyone not needing to modify configurations on the fly to use it that way. Because apart the missing documentation, I found difficult having to deal with the obscure attribute names and the complex directory structure (and the not so explicative file names used under it) that I found in /etc/ldap/slapd.d/. Well, I actually got used to cn=config pretty quickly, nevertheless, I still find easier to understand and modify the slapd.conf file than the directory structure under slapd.d... it is definitely more complex (and I don't think it is easier to modify using a LDAP administration tool). The cn=config replication suggested on the docs becomes useless when you need to use TLS, because, AFAIK, we don't have a way of having different TLS parameters for each replica (and, on a multi-master setup, you will likely have different servers, with different names, and thus: different SSL certificate). I understand the needs for cn=config, but for the moment I don't need it. Having a file with a simple syntax that I can read and modify instead of a tree of LDIF files is far more convenient for me. So I hope that slapd.conf will remain supported. +1, we shouldn't drop slapd.conf file. Simone -- Simone Piccardi Truelite Srl picca...@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-1032433 50142 Firenze http://www.truelite.it Tel. +39-055-7879597 Fax. +39-055-736
Re: Installation openLDAP in Debian
On Wed, Apr 20, 2011 at 2:53 PM, Howard Chu h...@symas.com wrote: Simone Piccardi wrote: On 20/04/2011 17:30, Jose Ildefonso Camargo Tolosa wrote: Hi! it no longer uses slapd.conf by default, it uses cn=config . It is on /etc/ldap/slapd.d/ Debian will leave you with a working directory (even thought not optimal, but you will be able to use it). If you can be more specific on what you want to do, just let us know! If you are used to configure with slapd.conf, you can actually use that configuration too, or you can convert your slapd.conf configuration into cn=config with slaptest (check the docs!). Ildefonso Camargo That's the way I'm using it. And I suggest to anyone not needing to modify configurations on the fly to use it that way. Because apart the missing documentation, I found difficult having to deal with the obscure attribute names and the complex directory structure (and the not so explicative file names used under it) that I found in /etc/ldap/slapd.d/. I understand the needs for cn=config, but for the moment I don't need it. Having a file with a simple syntax that I can read and modify instead of a tree of LDIF files is far more convenient for me. So I hope that slapd.conf will remain supported. The tree of files is not meant for you to ever look at or modify directly. Just use slapcat or ldapsearch. If you know anything about LDAP at all this is MUCH easier than editing flat text files, since you can use any LDAP tool (commandline or GUI) to do all the administration. I don't find complex to directly modify the files, actually, I find it easier than having to write a ldif modification script every time I need to apply a change! I just go ahead and edit the corresponding ldif file on slapd.d If you think the tree structure is confusing, then you obviously have not read the Admin Guide, which clearly outlines the structure. It is not confusing, I actually find it very logic, but it is more complex than a single file. But that was discussed long ago on the list: lets face it, a single plain text file is always simpler than any more formated file, and you will always have someone complaining about it. Now, if there was a graphical LDAP administration tool that handled the configuration: there would be a lot of happy people, and writing that tool (even by creating a template for existing tools) is now possible thanks to cn=config, it was not that easy with old slapd.conf file. http://www.openldap.org/doc/admin24/slapdconf2.html#Configuration%20Layout If you don't read the documentation you have only yourself to blame for being confused. Yeah, that page is incomplete when compared to: http://www.openldap.org/doc/admin24/slapdconfig.html The cn=config directives is missing the access control part, that you can get: http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20via%20Dynamic%20Configuration Not a big deal, but it took me a while to realize that the documentation was no longer on the same place as for slapd.conf Ildefonso Camargo
Re: Installation openLDAP in Debian
Jose Ildefonso Camargo Tolosa wrote: Resending on-list. Well, I actually got used to cn=config pretty quickly, nevertheless, I still find easier to understand and modify the slapd.conf file than the directory structure under slapd.d... it is definitely more complex (and I don't think it is easier to modify using a LDAP administration tool). The directory structure under slapd.d is private/internal to slapd. Forget it is even there. As far as you're concerned, it does not even exist. The only thing you should ever look at is the LDAP DIT, whether returned by slapcat, ldapsearch, or your LDAP GUI browser of choice. The cn=config replication suggested on the docs becomes useless when you need to use TLS, because, AFAIK, we don't have a way of having different TLS parameters for each replica (and, on a multi-master setup, you will likely have different servers, with different names, and thus: different SSL certificate). Actually no, every syncrepl directive can have its own unique set of TLS parameters. And anyway, usually all of the servers communicating with each other at a site will have the same security requirements and thus the same TLS parameters. The actual certificates might be different, but since they (currently) live in the filesystem there's no need to reflect that difference in the slapd configuration. E.g., every server can point to /etc/ssl/my-server-cert.pem and that file can be unique to each server. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Installation openLDAP in Debian
On 20/04/11 16:01 -0430, Jose Ildefonso Camargo Tolosa wrote: On Wed, Apr 20, 2011 at 2:53 PM, Howard Chu h...@symas.com wrote: I don't find complex to directly modify the files, actually, I find it easier than having to write a ldif modification script every time I need to apply a change! I just go ahead and edit the corresponding ldif file on slapd.d If you think the tree structure is confusing, then you obviously have not read the Admin Guide, which clearly outlines the structure. It is not confusing, I actually find it very logic, but it is more complex than a single file. But that was discussed long ago on the list: lets face it, a single plain text file is always simpler than any more formated file, and you will always have someone complaining about it. Now, if there was a graphical LDAP administration tool that handled the configuration: there would be a lot of happy people, and writing that tool (even by creating a template for existing tools) is now possible thanks to cn=config, it was not that easy with old slapd.conf file. I've found ldapedit/ldiff, from: http://www.aput.net/~jheiss/krbldap/tools/ to be indispensable in my own efforts to learn the new config backend. E.g.: LDAPBASE='cn=config' ./ldapedit objectClass=* opens up the entire config data within an editor (based on your EDITOR environment variable), and then performs the necessary ldap modifications for you after you save and exit. It does not properly handle changes to some of the more complex multi-line entries, such as the schema definitions. -- Dan White
Re: Installation openLDAP in Debian
On Wed, Apr 20, 2011 at 4:18 PM, Howard Chu h...@symas.com wrote: Jose Ildefonso Camargo Tolosa wrote: On Wed, Apr 20, 2011 at 2:53 PM, Howard Chuh...@symas.com wrote: The tree of files is not meant for you to ever look at or modify directly. Just use slapcat or ldapsearch. If you know anything about LDAP at all this is MUCH easier than editing flat text files, since you can use any LDAP tool (commandline or GUI) to do all the administration. I don't find complex to directly modify the files, actually, I find it easier than having to write a ldif modification script every time I need to apply a change! I just go ahead and edit the corresponding ldif file on slapd.d You are editing the backing store of a slapd internal database. If slapd is running while you're doing this, you will probably corrupt the database. Even if slapd is not running, you'll probably corrupt the database. Ok, I'll fall for this: how in the world can I corrupt a text (ldif) file? I have done that for quite some time, and I have never had a single issue with it. Off course, I need to restart slapd to make it use my changes, but it is not big deal on my environment (for other environments, you can use ldapmodify (or similar) and make changes on the fly). Btw, how does OpenLDAP currently handles when you do a really bad change to openldap parameter via ldapmodify? if I edit the ldif files (on slapd.d), I can actually use slaptest to validate it, before I restart the daemon.
Re: Installation openLDAP in Debian
On Wed, Apr 20, 2011 at 4:34 PM, Dan White dwh...@olp.net wrote: On 20/04/11 16:01 -0430, Jose Ildefonso Camargo Tolosa wrote: Now, if there was a graphical LDAP administration tool that handled the configuration: there would be a lot of happy people, and writing that tool (even by creating a template for existing tools) is now possible thanks to cn=config, it was not that easy with old slapd.conf file. I've found ldapedit/ldiff, from: http://www.aput.net/~jheiss/krbldap/tools/ to be indispensable in my own efforts to learn the new config backend. E.g.: LDAPBASE='cn=config' ./ldapedit objectClass=* opens up the entire config data within an editor (based on your EDITOR environment variable), and then performs the necessary ldap modifications for you after you save and exit. It does not properly handle changes to some of the more complex multi-line entries, such as the schema definitions. All of this actually gives me an idea, if I use slapcat, create a copy, edit the copy, and then use ldapdiff to get modification script that could be simpler than writing the modification ldifs every time I need to do a change.
Re: Installation openLDAP in Debian
--On April 20, 2011 9:17:36 PM -0430 Jose Ildefonso Camargo Tolosa ildefonso.cama...@gmail.com wrote: Btw, how does OpenLDAP currently handles when you do a really bad change to openldap parameter via ldapmodify? if I edit the ldif files (on slapd.d), I can actually use slaptest to validate it, before I restart the daemon. Modify operations made by ldapmodify go through much stricter testing than anything the slap* tools do. This is the case for all ldap* vs slap* operations. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: Installation openLDAP in Debian
Jose Ildefonso Camargo Tolosa wrote: On Wed, Apr 20, 2011 at 4:18 PM, Howard Chuh...@symas.com wrote: Jose Ildefonso Camargo Tolosa wrote: On Wed, Apr 20, 2011 at 2:53 PM, Howard Chuh...@symas.comwrote: The tree of files is not meant for you to ever look at or modify directly. Just use slapcat or ldapsearch. If you know anything about LDAP at all this is MUCH easier than editing flat text files, since you can use any LDAP tool (commandline or GUI) to do all the administration. I don't find complex to directly modify the files, actually, I find it easier than having to write a ldif modification script every time I need to apply a change! I just go ahead and edit the corresponding ldif file on slapd.d You are editing the backing store of a slapd internal database. If slapd is running while you're doing this, you will probably corrupt the database. Even if slapd is not running, you'll probably corrupt the database. Ok, I'll fall for this: how in the world can I corrupt a text (ldif) file? I have done that for quite some time, and I have never had a single issue with it. Off course, I need to restart slapd to make it use my changes, but it is not big deal on my environment (for other environments, you can use ldapmodify (or similar) and make changes on the fly). There are many possibilities. The most obvious is leaving random whitespace at the end of a line, which frequently trips up people who manually edit flat text files. I won't go into the other possibilities because frankly, it's an internal implementation detail and not worth mentioning. Suffice to say, if you're not going to take the word of the programmer who designed and implemented all of this that editing by hand is prone to corruption, then we have nothing further to discuss. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
