Re: Olc deployment vs slapd.conf based deployment

Am 22.09.2017 um 16:50 schrieb Howard Chu: Peter wrote: olcSchemaFile: {0}include: file://$ABS_SCHEMADIR/core.ldif olcSchemaFile: {1}include: file://$ABS_SCHEMADIR/cosine.ldif olcSchemaFile: {2}include: file://$ABS_SCHEMADIR/inetorgperson.ldif That is a very nice proposal, it would sort of

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: The real issue with ppolicy is that it shouldn't be shipping with a separate schema, and instead it should have its configuration schema fully internalized. Hmm, you could say that about for standard schema file shipped by OpenLDAP but considered immutable (like core

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 22, 2017 10:47 AM -0700 Quanah Gibson-Mount wrote: The current ITS system is already scheduled for replacement. The current OpenLDAP infrastructure is already being migrated *being migrated (one server complete, one underway as time allows). --Quanah -- Quanah Gi

Re: Olc deployment vs slapd.conf based deployment

--On Wednesday, September 20, 2017 6:40 PM +0200 Ondřej Kuzník wrote: In terms of that, some of us would like to have a different bug tracking system, if it supports attaching patches to it I guess that's something you'd find a bit more welcoming. The current ITS system is already scheduled

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 22, 2017 8:38 AM -0400 Frank Swasey wrote: My take away from this lengthy discussion is the following: 1) cn=config is not ready for "make; make test; make install" level of upgrade. Until it is, it is not usable in a production environment. I've been doing binary up

Re: Olc deployment vs slapd.conf based deployment

Peter wrote: olcSchemaFile: {0}include: file://$ABS_SCHEMADIR/core.ldif olcSchemaFile: {1}include: file://$ABS_SCHEMADIR/cosine.ldif olcSchemaFile: {2}include: file://$ABS_SCHEMADIR/inetorgperson.ldif That is a very nice proposal, it would sort of give us the good things of both worlds. It

Re: Olc deployment vs slapd.conf based deployment

olcSchemaFile: {0}include: file://$ABS_SCHEMADIR/core.ldif olcSchemaFile: {1}include: file://$ABS_SCHEMADIR/cosine.ldif olcSchemaFile: {2}include: file://$ABS_SCHEMADIR/inetorgperson.ldif That is a very nice proposal, it would sort of give us the good things of both worlds. IMHO schema is th

Re: Olc deployment vs slapd.conf based deployment

Frank Swasey wrote: My take away from this lengthy discussion is the following: 1) cn=config is not ready for "make; make test; make install" level of upgrade. Until it is, it is not usable in a production environment. Nobody is denying that more work needs to be done. Where did you ever get

Re: Olc deployment vs slapd.conf based deployment

My take away from this lengthy discussion is the following: 1) cn=config is not ready for "make; make test; make install" level of upgrade. Until it is, it is not usable in a production environment. 2) As usual, the OpenLDAP developers are saying "my way or the highway". As a Proof of Concep

Re: Olc deployment vs slapd.conf based deployment

On Mon, Sep 18, 2017 at 06:08:16PM +0200, Radovan Semancik wrote: > On 09/18/2017 05:20 PM, Howard Chu wrote: >> Radovan Semancik wrote: >>> I would ... if this was a wiki, or github-like pull request and if there >>> was an example of how a good result should look like. But it does not >>> make se

Re: Antw: Re: Olc deployment vs slapd.conf based deployment

--On Tuesday, September 19, 2017 7:31 PM +0200 Radovan Semancik wrote: What I meant were external contributions from people outside of the core team. And I have obviously missed (at least) one such contribution. I'm sorry for this. My fault. And I get your point and I apologize for this confus

Re: Antw: Re: Olc deployment vs slapd.conf based deployment

What I meant were external contributions from people outside of the core team. And I have obviously missed (at least) one such contribution. I'm sorry for this. My fault. And I get your point and I apologize for this confusion. I just want to point out I haven't failed to notice that all of my

Re: Antw: Re: Olc deployment vs slapd.conf based deployment

--On Tuesday, September 19, 2017 11:54 AM +0200 Radovan Semancik wrote: Regarding the pull requests and discussions: I have checked the devel mailing list for several months and I haven't see any discussion regarding a contribution. Really? You must not have looked very hard then.

Re: Olc deployment vs slapd.conf based deployment

Am Mon, 18 Sep 2017 10:12:23 -0400 schrieb Brian Reichert : > On Sat, Sep 16, 2017 at 04:24:36PM +0200, Daniel Pluta wrote: > > On 16.09.2017 09:04, Michael Str??der wrote: > > >Daniel Pluta wrote: > > >>Call it strange, useless, insane, fine or whatever, but my > > >>customers (also anybody w

Re: Olc deployment vs slapd.conf based deployment

On Mon, Sep 18, 2017 at 08:01:31PM +0200, Michael Ströder wrote: > Quanah Gibson-Mount wrote: > > > So instead of writing a single file (in one FS transaction) after > > > letting slaptest check it I have to write several files (multiple > > > FS operations), diff that and then apply multiple LDAP

Re: Antw: Re: Olc deployment vs slapd.conf based deployment

On 09/19/2017 08:56 AM, Ulrich Windl wrote: Please don't mix git with github! While github makes some things easier to do, it's not required to use gir (as you surely know). The problem with using github is that everybody has to use github then (will pull requests and related discussions be vis

Re: Olc deployment vs slapd.conf based deployment

Howard Chu wrote: Michael Ströder wrote: Quanah Gibson-Mount wrote: b) Since cn=config is simply a tree, you could have your cn=config in git, commit your changes there, and use a tool like ldapdiff to create changesets to apply programatically. So instead of writing a single file (in one FS

Re: Olc deployment vs slapd.conf based deployment

Michael Ströder wrote: Quanah Gibson-Mount wrote: b) Since cn=config is simply a tree, you could have your cn=config in git, commit your changes there, and use a tool like ldapdiff to create changesets to apply programatically. So instead of writing a single file (in one FS transaction) after

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: So instead of writing a single file (in one FS transaction) after letting slaptest check it I have to write several files (multiple FS operations), diff that and then apply multiple LDAP operations. Hm? How is this any different really than tracking slapd.conf in git?

Re: Olc deployment vs slapd.conf based deployment

--On Monday, September 18, 2017 8:48 PM +0200 Michael Ströder wrote: b) Since cn=config is simply a tree, you could have your cn=config in git, commit your changes there, and use a tool like ldapdiff to create changesets to apply programatically. So instead of writing a single file (in one FS

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: a) You could set up an accesslog database that stores the changes made to cn=config over time. If you had to have it in git, it shouldn't be particularly difficult to write a tool to parse those changes out into some format you desire This has two caveats: 1. Your c

Re: Olc deployment vs slapd.conf based deployment

On 09/18/2017 07:25 PM, Quanah Gibson-Mount wrote: I'm not sure there's a solution to that that the OpenLDAP project can help you with. I'm afraid that I have just reached the same conclusion. -- Radovan Semancik Software Architect evolveum.com

Re: Olc deployment vs slapd.conf based deployment

On 09/18/2017 07:22 PM, Quanah Gibson-Mount wrote: --On Monday, September 18, 2017 8:11 PM +0200 Radovan Semancik wrote: Yes, git is great tool and it is standard. No doubt about that. But why there is no official OpenLDAP repo on github/gitlab? There is:

Re: Olc deployment vs slapd.conf based deployment

Radovan Semancik wrote: On 09/18/2017 06:25 PM, Quanah Gibson-Mount wrote: Numerous projects have BSD-style licenses, this isn't OpenLDAP specific. So yes, you should already have a legal team, if that's necessary in your case, that's familiar with dealing with FOSS licenses, to review them.

Re: Olc deployment vs slapd.conf based deployment

--On Monday, September 18, 2017 8:18 PM +0200 Radovan Semancik wrote: On 09/18/2017 06:25 PM, Quanah Gibson-Mount wrote: Numerous projects have BSD-style licenses, this isn't OpenLDAP specific. So yes, you should already have a legal team, if that's necessary in your case, that's familiar wit

Re: Olc deployment vs slapd.conf based deployment

--On Monday, September 18, 2017 8:11 PM +0200 Radovan Semancik wrote: On 09/18/2017 06:27 PM, Quanah Gibson-Mount wrote: git is a pretty standard tool. Interestingly, numerous people seem to have no issue using git to check out the source, do a git format patch, and submit it for inclusion w

Re: Olc deployment vs slapd.conf based deployment

On 09/18/2017 06:25 PM, Quanah Gibson-Mount wrote: Numerous projects have BSD-style licenses, this isn't OpenLDAP specific. So yes, you should already have a legal team, if that's necessary in your case, that's familiar with dealing with FOSS licenses, to review them. Not really. Not that man

Re: Olc deployment vs slapd.conf based deployment

On 09/18/2017 06:27 PM, Quanah Gibson-Mount wrote: git is a pretty standard tool. Interestingly, numerous people seem to have no issue using git to check out the source, do a git format patch, and submit it for inclusion with the project. You can see this rather trivially by looking at my scr

Re: Olc deployment vs slapd.conf based deployment

--On Thursday, September 14, 2017 10:59 PM -0500 Andy Dorman wrote: Hi Andy, FWIW, we also need the git trail of changes over time. I have not figured out a good way to do that with OLC. Well, there are a few options I suppose: a) You could set up an accesslog database that stores the cha

Re: Olc deployment vs slapd.conf based deployment

--On Monday, September 18, 2017 7:08 PM +0200 Radovan Semancik wrote: On 09/18/2017 05:20 PM, Howard Chu wrote: Radovan Semancik wrote: I would ... if this was a wiki, or github-like pull request and if there was an example of how a good result should look like. But it does not make sense fo

Re: Olc deployment vs slapd.conf based deployment

--On Monday, September 18, 2017 7:13 PM +0200 Radovan Semancik wrote: That's incorrect.  It's a BSD-style license, it doesn't get much more basic than that. The point is that is may be BSD-style license. But it is not a BSD license. I may need t

Re: Olc deployment vs slapd.conf based deployment

That's incorrect.  It's a BSD-style license, it doesn't get much more basic than that. The point is that is may be BSD-style license. But it is not a BSD license. I may need to run OpenLDAP license with our company lawyer to make sure it is BSD-li

Re: Olc deployment vs slapd.conf based deployment

On 09/18/2017 05:20 PM, Howard Chu wrote: Radovan Semancik wrote: I would ... if this was a wiki, or github-like pull request and if there was an example of how a good result should look like. But it does not make sense for me to spend few hours just figuring out how to contribute documentatio

Re: Olc deployment vs slapd.conf based deployment

On Thu, 2017-09-14 at 14:15 -0700, Quanah Gibson-Mount wrote: > --On Thursday, September 14, 2017 3:06 PM -0700 rammohan > ganapavarapu  > wrote: > > > > > Hi, > > > > > > I am trying to see what is the best and recommended way of > > deploying/starting ldap, OLC or conf file based? i was in t

Re: Olc deployment vs slapd.conf based deployment

--On Monday, September 18, 2017 6:02 PM +0200 Radovan Semancik wrote: Again, it would be probably already contributed to the project if the process was more user friendly. But what do I really need to do to contribute? First, I have to decide whether I'm OK to contribute under OpenLDAP license

Re: Olc deployment vs slapd.conf based deployment

Radovan Semancik wrote: Hi, On 09/18/2017 02:44 PM, Howard Chu wrote: These perennial arguments keep coming up. If you want things to improve, contribute. Anyone can write a manpage. Hardly anyone ever does. Everyone sits back and moans while waiting for someone else to fix things for them. T

Re: Olc deployment vs slapd.conf based deployment

Hi, On 09/18/2017 02:44 PM, Howard Chu wrote: These perennial arguments keep coming up. If you want things to improve, contribute. Anyone can write a manpage. Hardly anyone ever does. Everyone sits back and moans while waiting for someone else to fix things for them. That's not what open sourc

Re: Olc deployment vs slapd.conf based deployment

On Sat, Sep 16, 2017 at 04:24:36PM +0200, Daniel Pluta wrote: > On 16.09.2017 09:04, Michael Str??der wrote: > >Daniel Pluta wrote: > >>Call it strange, useless, insane, fine or whatever, but my customers > >>(also anybody who's interested in using a distinct service) should > >>be able to get a ch

Re: Olc deployment vs slapd.conf based deployment

Radovan Semancik wrote: Hi, The "cn=config" configuration method is clearly superior. However, there are serious practical issues. Firstly, the documentation leaves a lot to be desired. Until recently almost all examples shown the slapd.conf way, cn=config equivalent was simply missing. Unles

Re: Olc deployment vs slapd.conf based deployment

Hi, The "cn=config" configuration method is clearly superior. However, there are serious practical issues. Firstly, the documentation leaves a lot to be desired. Until recently almost all examples shown the slapd.conf way, cn=config equivalent was simply missing. Unless I have missed something

Re: Olc deployment vs slapd.conf based deployment

On 16.09.2017 09:04, Michael Ströder wrote: Daniel Pluta wrote: Call it strange, useless, insane, fine or whatever, but my customers (also anybody who's interested in using a distinct service) should be able to get a chance for a detailed view into the running configuration of each service - bef

Re: Olc deployment vs slapd.conf based deployment

Daniel Pluta wrote: Forget about it. It's sufficient to keep in mind that the future lies in cn=config. ;-) History provides enough examples where simple modernism resulted in dead-ends or even worse things. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature

Re: Olc deployment vs slapd.conf based deployment

Daniel Pluta wrote: Call it strange, useless, insane, fine or whatever, but my customers (also anybody who's interested in using a distinct service) should be able to get a chance for a detailed view into the running configuration of each service - before and while using it. slapd's cn=config sup

Re: Olc deployment vs slapd.conf based deployment

In my opinion the most important, hard to attack, and even harder (impossible?) to disprove argument is: Transparency! Call it strange, useless, insane, fine or whatever, but my customers (also anybody who's interested in using a distinct service) should be able to get a chance for a detailed

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: --On Friday, September 15, 2017 12:24 PM -0700 Ryan Tandy wrote: There was some talk, either in IRC or on -devel, of creating a way for cn=config to reference schema files (possibly LDIF) on disk rather than importing them into the config database. I think that would

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 12:47 PM -0700 Ryan Tandy wrote: On Fri, Sep 15, 2017 at 11:44:47AM -0700, Quanah Gibson-Mount wrote: Generally it's considered a no-no. For this instance, it may be the easiest route if you can do it without breaking things. ;) If you do take that path, it'

Re: Olc deployment vs slapd.conf based deployment

On Fri, Sep 15, 2017 at 11:44:47AM -0700, Quanah Gibson-Mount wrote: Generally it's considered a no-no. For this instance, it may be the easiest route if you can do it without breaking things. ;) If you do take that path, it's best if you make some kind of online modification to the same sche

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 12:41 PM -0700 rammohan ganapavarapu wrote: Quanah, But updating schema.ldif file in disk is not recommended way  right? Generally it's considered a no-no. For this instance, it may be the easiest route if you can do it without breaking things. ;) --Qua

Re: Olc deployment vs slapd.conf based deployment

Quanah, But updating schema.ldif file in disk is not recommended way right? Thanks, Ram On Fri, Sep 15, 2017 at 11:33 AM, Quanah Gibson-Mount wrote: > --On Friday, September 15, 2017 12:24 PM -0700 Ryan Tandy > wrote: > > > There was some talk, either in IRC or on -devel, of creating a way f

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 12:24 PM -0700 Ryan Tandy wrote: There was some talk, either in IRC or on -devel, of creating a way for cn=config to reference schema files (possibly LDIF) on disk rather than importing them into the config database. I think that would be an improvement. Import

Re: Olc deployment vs slapd.conf based deployment

(For the record, I agree with most of your points; and I personally would be more satisfied with slapd.conf and reloading it on SIGHUP than I am with cn=config.) On Fri, Sep 15, 2017 at 08:12:04PM +0200, Michael Ströder wrote: Standard schema files are shipped with the source and installed with

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 9:12 PM +0200 Michael Ströder wrote: This change led to a non-trivial breakage because the back-config concepts and best practices have serious deficiencies. I actually wrote a utility for Zimbra that replaces the schema in back-config for me on upgrades. Th

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: The OpenLDAP project only provides one thing -- Source code. So no, the sysadmin is actually responsible for ensuring upgrade procedures between versions work for their deployment. Standard schema files are shipped with the source and installed with make install. sl

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 8:49 PM +0200 Michael Ströder wrote: Quanah Gibson-Mount wrote: --On Friday, September 15, 2017 7:57 PM +0200 Michael Ströder wrote: I strongly disagree. It's a schema shipped by OpenLDAP installation. So this update should have simply worked. Since the sch

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: --On Friday, September 15, 2017 7:57 PM +0200 Michael Ströder wrote: I strongly disagree. It's a schema shipped by OpenLDAP installation. So this update should have simply worked. Since the schema is stored in the cn=config DB, there's not an option to replace the p

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 7:57 PM +0200 Michael Ströder wrote: I strongly disagree. It's a schema shipped by OpenLDAP installation. So this update should have simply worked. Since the schema is stored in the cn=config DB, there's not an option to replace the ppolicy LDIF in cn=config

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: --On Friday, September 15, 2017 10:01 AM +0200 Michael Ströder wrote: And the upgrade issue with 'pwdMaxRecordedFailure' (see other mail thread) serves as good example how easy it is to run into a operational dead-end with cn=config. In retrospect, I think the ITS t

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 10:01 AM +0200 Michael Ströder wrote: And the upgrade issue with 'pwdMaxRecordedFailure' (see other mail thread) serves as good example how easy it is to run into a operational dead-end with cn=config. There's no easy way to fix this afterwards without violating

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 10:09 AM +0200 Michael Ströder wrote: Quanah Gibson-Mount wrote: I think it's a strong plus to be able to reconfigure a standalone server into an MMR cluster with zero downtime, I don't buy this argument. If you're really eager reaching high availability you

Re: Olc deployment vs slapd.conf based deployment

On Fri, Sep 15, 2017 at 10:55:10AM +0100, Dameon Wagner wrote: > On Fri, Sep 15 2017 at 11:22:44 +0200, Michael Ströder scribbled >> I already though about writing an ansible module doing the >> idempotent diffs via LDAP. But the hard part is a roll-back or >> removing parts since back-config does

Re: Olc deployment vs slapd.conf based deployment

On Fri, Sep 15 2017 at 11:22:44 +0200, Michael Ströder scribbled in "Re: Olc deployment vs slapd.conf based deployment": > Dameon Wagner wrote: > >I really do like the idea of being able to tweak and update > >the configuration without needing to HUP slapd (it's

Re: Olc deployment vs slapd.conf based deployment

Dameon Wagner wrote: I really do like the idea of being able to tweak and update the configuration without needing to HUP slapd (it's a shame there's no "reload" option, in addition to "restart"), SIGHUP is "reload". You probably refer to "restart=stop/start". especially for things like updat

Re: Antw: Re: Olc deployment vs slapd.conf based deployment

Ulrich Windl wrote: Michael Ströder schrieb: Personally I would never replicate cn=config. You mean "via LDAP"? Yes. I think the best way for an unreliable MMR LDAP server is to run it with different configs on each node ;-) Yes. Use a decent config management system instead. to rep

Re: Olc deployment vs slapd.conf based deployment

On Fri, Sep 15 2017 at 09:09:19 +0200, Michael Ströder scribbled in "Re: Olc deployment vs slapd.conf based deployment": > Quanah Gibson-Mount wrote: > >I think it's a strong plus to be able to reconfigure a > >standalone server into an MMR cluster with zero d

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: I think it's a strong plus to be able to reconfigure a standalone server into an MMR cluster with zero downtime, I don't buy this argument. If you're really eager reaching high availability you have to implement a decent load-balancer and test correct fail-over anyw

Re: Olc deployment vs slapd.conf based deployment

Andy Dorman wrote: And lastly, I will admit I haven't researched it recently, but when OLC first came out I did not find any docs on how to set OLC up in a master-slave arrangement so the OLC changes on the master are replicated to the slaves? At least I assume that is how changes should be handl

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: It takes all of ldapadd/modify to modify cn=config. If you're having that much difficulty, it sounds like you don't understand how to use cn=config. I'm also having this difficulties with cn=config. And the upgrade issue with 'pwdMaxRecordedFailure' (see other mail

Re: Olc deployment vs slapd.conf based deployment

On 09/14/2017 07:36 PM, Quanah Gibson-Mount wrote: --On Thursday, September 14, 2017 6:30 PM -0500 Andy Dorman wrote: I have our dev server using OLC and it takes me twice as long to modify it's config than the 15 other servers we have running openLDAP. It takes all of ldapadd/modify to mod

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 12:49 AM +0200 Michael Ströder wrote: Personally I strongly prefer static configuration because it's so much easier to control it with the usual idempotent config management techniques (puppet, ansible, etc.) which you need for the rest of the system anyway. T

Re: Olc deployment vs slapd.conf based deployment

Thank you. On Sep 14, 2017 5:37 PM, "Quanah Gibson-Mount" wrote: > --On Thursday, September 14, 2017 6:30 PM -0500 Andy Dorman < > ador...@ironicdesign.com> wrote: > > I have our dev server using OLC and it takes me twice as long to modify >> it's config than the 15 other servers we have running

Re: Olc deployment vs slapd.conf based deployment

--On Thursday, September 14, 2017 6:30 PM -0500 Andy Dorman wrote: I have our dev server using OLC and it takes me twice as long to modify it's config than the 15 other servers we have running openLDAP. It takes all of ldapadd/modify to modify cn=config. If you're having that much difficul

Re: Olc deployment vs slapd.conf based deployment

On 09/14/2017 04:49 PM, Michael Ströder wrote: Quanah Gibson-Mount wrote: slapd.conf is deprecated, and support for it will be removed in a future release. Back in 2013 Howard confirmed that 2.5 will still support static config (slapd.conf). And we don't see 2.5 yet. I would say "easy and

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: slapd.conf is deprecated, and support for it will be removed in a future release. Back in 2013 Howard confirmed that 2.5 will still support static config (slapd.conf). And we don't see 2.5 yet. I would say "easy and more controllable" are not measurable, nor are t

Re: Olc deployment vs slapd.conf based deployment

--On Thursday, September 14, 2017 3:06 PM -0700 rammohan ganapavarapu wrote: Hi, I am trying to see what is the best and recommended way of deploying/starting ldap, OLC or conf file based? i was in the impression that conf file based is easy and more controllable approach than OLC? slapd.

Re: Olc deployment vs slapd.conf based deployment

Hi, I am trying to see what is the best and recommended way of deploying/starting ldap, OLC or conf file based? i was in the impression that conf file based is easy and more controllable approach than OLC? Thanks, Ram