On Wed, Aug 20, 2008 at 10:58:51PM -0700, Steve Langasek wrote: > On Tue, Aug 12, 2008 at 06:07:14PM +0200, Bastian Blank wrote: > > On Tue, Aug 12, 2008 at 12:35:30PM -0300, Steve Langasek wrote: > > > It is possible; I'm currently awaiting feedback from the OpenLDAP > > > comaintainers before we enable it. > > > You know that parts of the config settings are only supported in the > > legacy-format? > > I've been told that there are certain (uncommon) backends that aren't > supported by cn=config, and I'm not surprised to learn that there are some > overlays that are unsupported as well. Do you have a list of these that are > of concern to you?
Not currently. I read it somewhere but as the documentation how to configure them via cn=config is completely missing it is not easy to find it again. Can you please first fill the gaps in the documentation before forcing something underdocumented to everybody? > AFAIK the components that have not yet been ported to cn=config are those of > marginal interest, and I don't think they should block us from moving to > only support cn=config in the package; users who prefer to stick with > slapd.conf will be able to switch back after upgrade, at the expense of not > getting automatic config upgrades from the package anymore. So you convert it forth, break it during the step. > > Is there documentation how to import new schemas in the new config tree? > > They need to be provided in LDIF format. All of the schemas included in the > slapd package now also have .ldif versions that can be used as examples of > how to do this. I haven't looked for documentation, per se. Please provide the documentation then. I have several private schemas which I somehow need to port forward. Does slapd support modifications to cn=Schema? > > Also modification are only supported via the ldap > > protocol, who say that root may authenticate at all? > > We prompt for the password to use as the olcRootPW when setting up > cn=config, and can prompt for it again when other packages need to make > schema changes. I don't think this should be any more problematic than > what's currently done for integration with database packages. Who say that there exists a password for the root DN? None of my configs includes one, because I don't need another weak point. Which ACLs applies to the usage of the root DN for authentication? How do you want to reach the daemon? ldapi:///? ldap://127.0.0.1? The admin is free to disable whatever access variant he wants. Some other questions. The cn=config tree is located in /etc/ldap/config.d. What happens if I modify that while the daemon is running with an editor? What happens if I modify it with an editor and per LDAP at the same time? Bastian -- Insufficient facts always invite danger. -- Spock, "Space Seed", stardate 3141.9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
