Re: Olc deployment vs slapd.conf based deployment

Am 22.09.2017 um 16:50 schrieb Howard Chu: Peter wrote: olcSchemaFile: {0}include: file://$ABS_SCHEMADIR/core.ldif olcSchemaFile: {1}include: file://$ABS_SCHEMADIR/cosine.ldif olcSchemaFile: {2}include: file://$ABS_SCHEMADIR/inetorgperson.ldif That is a very nice proposal, it would sort of

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: The real issue with ppolicy is that it shouldn't be shipping with a separate schema, and instead it should have its configuration schema fully internalized. Hmm, you could say that about for standard schema file shipped by OpenLDAP but considered immutable (like

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 22, 2017 10:47 AM -0700 Quanah Gibson-Mount wrote: The current ITS system is already scheduled for replacement. The current OpenLDAP infrastructure is already being migrated *being migrated (one server complete, one underway as time allows).

Re: Olc deployment vs slapd.conf based deployment

--On Wednesday, September 20, 2017 6:40 PM +0200 Ondřej Kuzník wrote: In terms of that, some of us would like to have a different bug tracking system, if it supports attaching patches to it I guess that's something you'd find a bit more welcoming. The current ITS system

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 22, 2017 8:38 AM -0400 Frank Swasey wrote: My take away from this lengthy discussion is the following: 1) cn=config is not ready for "make; make test; make install" level of upgrade. Until it is, it is not usable in a production environment.

Re: Olc deployment vs slapd.conf based deployment

Peter wrote: olcSchemaFile: {0}include: file://$ABS_SCHEMADIR/core.ldif olcSchemaFile: {1}include: file://$ABS_SCHEMADIR/cosine.ldif olcSchemaFile: {2}include: file://$ABS_SCHEMADIR/inetorgperson.ldif That is a very nice proposal, it would sort of give us the good things of both worlds. It

Re: Olc deployment vs slapd.conf based deployment

olcSchemaFile: {0}include: file://$ABS_SCHEMADIR/core.ldif olcSchemaFile: {1}include: file://$ABS_SCHEMADIR/cosine.ldif olcSchemaFile: {2}include: file://$ABS_SCHEMADIR/inetorgperson.ldif That is a very nice proposal, it would sort of give us the good things of both worlds. IMHO schema is

Re: Olc deployment vs slapd.conf based deployment

Frank Swasey wrote: My take away from this lengthy discussion is the following: 1) cn=config is not ready for "make; make test; make install" level of upgrade. Until it is, it is not usable in a production environment. Nobody is denying that more work needs to be done. Where did you ever

Re: Olc deployment vs slapd.conf based deployment

My take away from this lengthy discussion is the following: 1) cn=config is not ready for "make; make test; make install" level of upgrade. Until it is, it is not usable in a production environment. 2) As usual, the OpenLDAP developers are saying "my way or the highway". As a Proof of

Re: Olc deployment vs slapd.conf based deployment

On Mon, Sep 18, 2017 at 06:08:16PM +0200, Radovan Semancik wrote: > On 09/18/2017 05:20 PM, Howard Chu wrote: >> Radovan Semancik wrote: >>> I would ... if this was a wiki, or github-like pull request and if there >>> was an example of how a good result should look like. But it does not >>> make

Re: Antw: Re: Olc deployment vs slapd.conf based deployment

--On Tuesday, September 19, 2017 7:31 PM +0200 Radovan Semancik wrote: What I meant were external contributions from people outside of the core team. And I have obviously missed (at least) one such contribution. I'm sorry for this. My fault. And I get your point

Re: Antw: Re: Olc deployment vs slapd.conf based deployment

What I meant were external contributions from people outside of the core team. And I have obviously missed (at least) one such contribution. I'm sorry for this. My fault. And I get your point and I apologize for this confusion. I just want to point out I haven't failed to notice that all of

Re: Antw: Re: Olc deployment vs slapd.conf based deployment

--On Tuesday, September 19, 2017 11:54 AM +0200 Radovan Semancik wrote: Regarding the pull requests and discussions: I have checked the devel mailing list for several months and I haven't see any discussion regarding a contribution. Really? You must not have

Re: Olc deployment vs slapd.conf based deployment

Am Mon, 18 Sep 2017 10:12:23 -0400 schrieb Brian Reichert : > On Sat, Sep 16, 2017 at 04:24:36PM +0200, Daniel Pluta wrote: > > On 16.09.2017 09:04, Michael Str??der wrote: > > >Daniel Pluta wrote: > > >>Call it strange, useless, insane, fine or whatever, but my > >

Re: Olc deployment vs slapd.conf based deployment

On Mon, Sep 18, 2017 at 08:01:31PM +0200, Michael Ströder wrote: > Quanah Gibson-Mount wrote: > > > So instead of writing a single file (in one FS transaction) after > > > letting slaptest check it I have to write several files (multiple > > > FS operations), diff that and then apply multiple LDAP

Re: Olc deployment vs slapd.conf based deployment

Howard Chu wrote: Michael Ströder wrote: Quanah Gibson-Mount wrote: b) Since cn=config is simply a tree, you could have your cn=config in git, commit your changes there, and use a tool like ldapdiff to create changesets to apply programatically. So instead of writing a single file (in one FS

Re: Olc deployment vs slapd.conf based deployment

Michael Ströder wrote: Quanah Gibson-Mount wrote: b) Since cn=config is simply a tree, you could have your cn=config in git, commit your changes there, and use a tool like ldapdiff to create changesets to apply programatically. So instead of writing a single file (in one FS transaction) after

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: So instead of writing a single file (in one FS transaction) after letting slaptest check it I have to write several files (multiple FS operations), diff that and then apply multiple LDAP operations. Hm? How is this any different really than tracking slapd.conf in

Re: Olc deployment vs slapd.conf based deployment

--On Monday, September 18, 2017 8:48 PM +0200 Michael Ströder wrote: b) Since cn=config is simply a tree, you could have your cn=config in git, commit your changes there, and use a tool like ldapdiff to create changesets to apply programatically. So instead of writing a

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: a) You could set up an accesslog database that stores the changes made to cn=config over time. If you had to have it in git, it shouldn't be particularly difficult to write a tool to parse those changes out into some format you desire This has two caveats: 1. Your

Re: Olc deployment vs slapd.conf based deployment

On 09/18/2017 07:25 PM, Quanah Gibson-Mount wrote: I'm not sure there's a solution to that that the OpenLDAP project can help you with. I'm afraid that I have just reached the same conclusion. -- Radovan Semancik Software Architect evolveum.com

Re: Olc deployment vs slapd.conf based deployment

On 09/18/2017 07:22 PM, Quanah Gibson-Mount wrote: --On Monday, September 18, 2017 8:11 PM +0200 Radovan Semancik wrote: Yes, git is great tool and it is standard. No doubt about that. But why there is no official OpenLDAP repo on github/gitlab? There is:

Re: Olc deployment vs slapd.conf based deployment

Radovan Semancik wrote: On 09/18/2017 06:25 PM, Quanah Gibson-Mount wrote: Numerous projects have BSD-style licenses, this isn't OpenLDAP specific. So yes, you should already have a legal team, if that's necessary in your case, that's familiar with dealing with FOSS licenses, to review them.

Re: Olc deployment vs slapd.conf based deployment

--On Monday, September 18, 2017 8:18 PM +0200 Radovan Semancik wrote: On 09/18/2017 06:25 PM, Quanah Gibson-Mount wrote: Numerous projects have BSD-style licenses, this isn't OpenLDAP specific. So yes, you should already have a legal team, if that's necessary

Re: Olc deployment vs slapd.conf based deployment

--On Monday, September 18, 2017 8:11 PM +0200 Radovan Semancik wrote: On 09/18/2017 06:27 PM, Quanah Gibson-Mount wrote: git is a pretty standard tool. Interestingly, numerous people seem to have no issue using git to check out the source, do a git format

Re: Olc deployment vs slapd.conf based deployment

On 09/18/2017 06:25 PM, Quanah Gibson-Mount wrote: Numerous projects have BSD-style licenses, this isn't OpenLDAP specific. So yes, you should already have a legal team, if that's necessary in your case, that's familiar with dealing with FOSS licenses, to review them. Not really. Not that

Re: Olc deployment vs slapd.conf based deployment

On 09/18/2017 06:27 PM, Quanah Gibson-Mount wrote: git is a pretty standard tool. Interestingly, numerous people seem to have no issue using git to check out the source, do a git format patch, and submit it for inclusion with the project. You can see this rather trivially by looking at my

Re: Olc deployment vs slapd.conf based deployment

--On Thursday, September 14, 2017 10:59 PM -0500 Andy Dorman wrote: Hi Andy, FWIW, we also need the git trail of changes over time. I have not figured out a good way to do that with OLC. Well, there are a few options I suppose: a) You could set up an accesslog

Re: Olc deployment vs slapd.conf based deployment

--On Monday, September 18, 2017 7:08 PM +0200 Radovan Semancik wrote: On 09/18/2017 05:20 PM, Howard Chu wrote: Radovan Semancik wrote: I would ... if this was a wiki, or github-like pull request and if there was an example of how a good result should look

Re: Olc deployment vs slapd.conf based deployment

--On Monday, September 18, 2017 7:13 PM +0200 Radovan Semancik wrote: That's incorrect.  It's a BSD-style license, it doesn't get much more basic than that. The point is that is may be BSD-style license. But it is

Re: Olc deployment vs slapd.conf based deployment

That's incorrect.  It's a BSD-style license, it doesn't get much more basic than that. The point is that is may be BSD-style license. But it is not a BSD license. I may need to run OpenLDAP license with our company lawyer to make sure it is

Re: Olc deployment vs slapd.conf based deployment

On 09/18/2017 05:20 PM, Howard Chu wrote: Radovan Semancik wrote: I would ... if this was a wiki, or github-like pull request and if there was an example of how a good result should look like. But it does not make sense for me to spend few hours just figuring out how to contribute

Re: Olc deployment vs slapd.conf based deployment

On Thu, 2017-09-14 at 14:15 -0700, Quanah Gibson-Mount wrote: > --On Thursday, September 14, 2017 3:06 PM -0700 rammohan > ganapavarapu  > wrote: > > > > > Hi, > > > > > > I am trying to see what is the best and recommended way of > > deploying/starting ldap, OLC or

Re: Olc deployment vs slapd.conf based deployment

--On Monday, September 18, 2017 6:02 PM +0200 Radovan Semancik wrote: Again, it would be probably already contributed to the project if the process was more user friendly. But what do I really need to do to contribute? First, I have to decide whether I'm OK to

Re: Olc deployment vs slapd.conf based deployment

Radovan Semancik wrote: Hi, On 09/18/2017 02:44 PM, Howard Chu wrote: These perennial arguments keep coming up. If you want things to improve, contribute. Anyone can write a manpage. Hardly anyone ever does. Everyone sits back and moans while waiting for someone else to fix things for them.

Re: Olc deployment vs slapd.conf based deployment

Hi, On 09/18/2017 02:44 PM, Howard Chu wrote: These perennial arguments keep coming up. If you want things to improve, contribute. Anyone can write a manpage. Hardly anyone ever does. Everyone sits back and moans while waiting for someone else to fix things for them. That's not what open

Re: Olc deployment vs slapd.conf based deployment

On Sat, Sep 16, 2017 at 04:24:36PM +0200, Daniel Pluta wrote: > On 16.09.2017 09:04, Michael Str??der wrote: > >Daniel Pluta wrote: > >>Call it strange, useless, insane, fine or whatever, but my customers > >>(also anybody who's interested in using a distinct service) should > >>be able to get a

Re: Olc deployment vs slapd.conf based deployment

Radovan Semancik wrote: Hi, The "cn=config" configuration method is clearly superior. However, there are serious practical issues. Firstly, the documentation leaves a lot to be desired. Until recently almost all examples shown the slapd.conf way, cn=config equivalent was simply missing.

Re: Olc deployment vs slapd.conf based deployment

Hi, The "cn=config" configuration method is clearly superior. However, there are serious practical issues. Firstly, the documentation leaves a lot to be desired. Until recently almost all examples shown the slapd.conf way, cn=config equivalent was simply missing. Unless I have missed

Re: Olc deployment vs slapd.conf based deployment

On 16.09.2017 09:04, Michael Ströder wrote: Daniel Pluta wrote: Call it strange, useless, insane, fine or whatever, but my customers (also anybody who's interested in using a distinct service) should be able to get a chance for a detailed view into the running configuration of each service -

Re: Olc deployment vs slapd.conf based deployment

Daniel Pluta wrote: Forget about it. It's sufficient to keep in mind that the future lies in cn=config. ;-) History provides enough examples where simple modernism resulted in dead-ends or even worse things. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature

Re: Olc deployment vs slapd.conf based deployment

Daniel Pluta wrote: Call it strange, useless, insane, fine or whatever, but my customers (also anybody who's interested in using a distinct service) should be able to get a chance for a detailed view into the running configuration of each service - before and while using it. slapd's cn=config

Re: Olc deployment vs slapd.conf based deployment

In my opinion the most important, hard to attack, and even harder (impossible?) to disprove argument is: Transparency! Call it strange, useless, insane, fine or whatever, but my customers (also anybody who's interested in using a distinct service) should be able to get a chance for a detailed

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: --On Friday, September 15, 2017 12:24 PM -0700 Ryan Tandy wrote: There was some talk, either in IRC or on -devel, of creating a way for cn=config to reference schema files (possibly LDIF) on disk rather than importing them into the config database. I

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 12:47 PM -0700 Ryan Tandy wrote: On Fri, Sep 15, 2017 at 11:44:47AM -0700, Quanah Gibson-Mount wrote: Generally it's considered a no-no. For this instance, it may be the easiest route if you can do it without breaking things. ;) If you do

Re: Olc deployment vs slapd.conf based deployment

On Fri, Sep 15, 2017 at 11:44:47AM -0700, Quanah Gibson-Mount wrote: Generally it's considered a no-no. For this instance, it may be the easiest route if you can do it without breaking things. ;) If you do take that path, it's best if you make some kind of online modification to the same

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 12:41 PM -0700 rammohan ganapavarapu wrote: Quanah, But updating schema.ldif file in disk is not recommended way  right? Generally it's considered a no-no. For this instance, it may be the easiest route if you can do it without

Re: Olc deployment vs slapd.conf based deployment

Quanah, But updating schema.ldif file in disk is not recommended way right? Thanks, Ram On Fri, Sep 15, 2017 at 11:33 AM, Quanah Gibson-Mount wrote: > --On Friday, September 15, 2017 12:24 PM -0700 Ryan Tandy > wrote: > > > There was some talk, either in

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 12:24 PM -0700 Ryan Tandy wrote: There was some talk, either in IRC or on -devel, of creating a way for cn=config to reference schema files (possibly LDIF) on disk rather than importing them into the config database. I think that would be an

Re: Olc deployment vs slapd.conf based deployment

(For the record, I agree with most of your points; and I personally would be more satisfied with slapd.conf and reloading it on SIGHUP than I am with cn=config.) On Fri, Sep 15, 2017 at 08:12:04PM +0200, Michael Ströder wrote: Standard schema files are shipped with the source and installed

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 9:12 PM +0200 Michael Ströder wrote: This change led to a non-trivial breakage because the back-config concepts and best practices have serious deficiencies. I actually wrote a utility for Zimbra that replaces the schema in back-config

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: The OpenLDAP project only provides one thing -- Source code. So no, the sysadmin is actually responsible for ensuring upgrade procedures between versions work for their deployment. Standard schema files are shipped with the source and installed with make install.

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 8:49 PM +0200 Michael Ströder wrote: Quanah Gibson-Mount wrote: --On Friday, September 15, 2017 7:57 PM +0200 Michael Ströder wrote: I strongly disagree. It's a schema shipped by OpenLDAP installation. So this

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: --On Friday, September 15, 2017 7:57 PM +0200 Michael Ströder wrote: I strongly disagree. It's a schema shipped by OpenLDAP installation. So this update should have simply worked. Since the schema is stored in the cn=config DB, there's not an

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 7:57 PM +0200 Michael Ströder wrote: I strongly disagree. It's a schema shipped by OpenLDAP installation. So this update should have simply worked. Since the schema is stored in the cn=config DB, there's not an option to replace the

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: --On Friday, September 15, 2017 10:01 AM +0200 Michael Ströder wrote: And the upgrade issue with 'pwdMaxRecordedFailure' (see other mail thread) serves as good example how easy it is to run into a operational dead-end with cn=config. In

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 10:01 AM +0200 Michael Ströder wrote: And the upgrade issue with 'pwdMaxRecordedFailure' (see other mail thread) serves as good example how easy it is to run into a operational dead-end with cn=config. There's no easy way to fix this

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 10:09 AM +0200 Michael Ströder wrote: Quanah Gibson-Mount wrote: I think it's a strong plus to be able to reconfigure a standalone server into an MMR cluster with zero downtime, I don't buy this argument. If you're really eager reaching

Re: Olc deployment vs slapd.conf based deployment

On Fri, Sep 15, 2017 at 10:55:10AM +0100, Dameon Wagner wrote: > On Fri, Sep 15 2017 at 11:22:44 +0200, Michael Ströder scribbled >> I already though about writing an ansible module doing the >> idempotent diffs via LDAP. But the hard part is a roll-back or >> removing parts since back-config does

Re: Olc deployment vs slapd.conf based deployment

On Fri, Sep 15 2017 at 11:22:44 +0200, Michael Ströder scribbled in "Re: Olc deployment vs slapd.conf based deployment": > Dameon Wagner wrote: > >I really do like the idea of being able to tweak and update > >the configuration without needing to HUP slapd (it's a sh

Re: Olc deployment vs slapd.conf based deployment

Dameon Wagner wrote: I really do like the idea of being able to tweak and update the configuration without needing to HUP slapd (it's a shame there's no "reload" option, in addition to "restart"), SIGHUP is "reload". You probably refer to "restart=stop/start". especially for things like

Re: Antw: Re: Olc deployment vs slapd.conf based deployment

Ulrich Windl wrote: Michael Ströder schrieb: Personally I would never replicate cn=config. You mean "via LDAP"? Yes. I think the best way for an unreliable MMR LDAP server is to run it with different configs on each node ;-) Yes. Use a decent config management

Re: Olc deployment vs slapd.conf based deployment

On Fri, Sep 15 2017 at 09:09:19 +0200, Michael Ströder scribbled in "Re: Olc deployment vs slapd.conf based deployment": > Quanah Gibson-Mount wrote: > >I think it's a strong plus to be able to reconfigure a > >standalone server into an MMR cluster with zero d

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: I think it's a strong plus to be able to reconfigure a standalone server into an MMR cluster with zero downtime, I don't buy this argument. If you're really eager reaching high availability you have to implement a decent load-balancer and test correct fail-over

Re: Olc deployment vs slapd.conf based deployment

Andy Dorman wrote: And lastly, I will admit I haven't researched it recently, but when OLC first came out I did not find any docs on how to set OLC up in a master-slave arrangement so the OLC changes on the master are replicated to the slaves? At least I assume that is how changes should be

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: It takes all of ldapadd/modify to modify cn=config. If you're having that much difficulty, it sounds like you don't understand how to use cn=config. I'm also having this difficulties with cn=config. And the upgrade issue with 'pwdMaxRecordedFailure' (see other mail

Re: Olc deployment vs slapd.conf based deployment

On 09/14/2017 07:36 PM, Quanah Gibson-Mount wrote: --On Thursday, September 14, 2017 6:30 PM -0500 Andy Dorman wrote: I have our dev server using OLC and it takes me twice as long to modify it's config than the 15 other servers we have running openLDAP. It takes

Re: Olc deployment vs slapd.conf based deployment

--On Friday, September 15, 2017 12:49 AM +0200 Michael Ströder wrote: Personally I strongly prefer static configuration because it's so much easier to control it with the usual idempotent config management techniques (puppet, ansible, etc.) which you need for the rest of

Re: Olc deployment vs slapd.conf based deployment

Thank you. On Sep 14, 2017 5:37 PM, "Quanah Gibson-Mount" wrote: > --On Thursday, September 14, 2017 6:30 PM -0500 Andy Dorman < > ador...@ironicdesign.com> wrote: > > I have our dev server using OLC and it takes me twice as long to modify >> it's config than the 15 other

Re: Olc deployment vs slapd.conf based deployment

--On Thursday, September 14, 2017 6:30 PM -0500 Andy Dorman wrote: I have our dev server using OLC and it takes me twice as long to modify it's config than the 15 other servers we have running openLDAP. It takes all of ldapadd/modify to modify cn=config. If you're

Re: Olc deployment vs slapd.conf based deployment

On 09/14/2017 04:49 PM, Michael Ströder wrote: Quanah Gibson-Mount wrote: slapd.conf is deprecated, and support for it will be removed in a future release. Back in 2013 Howard confirmed that 2.5 will still support static config (slapd.conf). And we don't see 2.5 yet. I would say "easy and

Re: Olc deployment vs slapd.conf based deployment

Quanah Gibson-Mount wrote: slapd.conf is deprecated, and support for it will be removed in a future release. Back in 2013 Howard confirmed that 2.5 will still support static config (slapd.conf). And we don't see 2.5 yet. I would say "easy and more controllable" are not measurable, nor are

Re: Olc deployment vs slapd.conf based deployment

--On Thursday, September 14, 2017 3:06 PM -0700 rammohan ganapavarapu wrote: Hi, I am trying to see what is the best and recommended way of deploying/starting ldap, OLC or conf file based? i was in the impression that conf file based is easy and more controllable

Re: Olc deployment vs slapd.conf based deployment

Hi, I am trying to see what is the best and recommended way of deploying/starting ldap, OLC or conf file based? i was in the impression that conf file based is easy and more controllable approach than OLC? Thanks, Ram