[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: On removing a duplicated ppolicy overlay



On Tue, Nov 27, 2018 at 3:17 PM Quanah Gibson-Mount <quanah@symas.com> wrote:
--On Tuesday, November 27, 2018 2:22 PM -0800 Daniel Howard
<dannyman@toldme.com> wrote:
 
> I had been yearning for a config file, and it turns out I had them all
> along!

It's a database, not configuration files.  Removing files from underneath a
database is generally not a good idea, although YMMV.

> I am sharing my experience here, for the next person who finds themselves
> googling around, trying to figure out how to remove or tweak a config in
> OpenLDAP. It is nowhere near as complicated as what I had read.

This is the wrong advice.  It is also fairly trivial to do what you avoided.

a) slapcat -n 0 -l /tmp/config.ldif
b) Remove the duplicate entries from /tmp/config.ldif
c) mv /path/to/current/config /path/to/current/config.old;mkdir -p
/path/to/current/config
d) slapadd -n 0 -l /tmp/config.ldif

I can see how a naive sysadmin might interpret the various text files in /etc/ldap/slapd.d/cn=config/ as configuration files ... that could be carefully edited by hand ... or managed programatically through the local configuration management system.

I appreciate your admonition that this interpretation is wrong, and that these would-be "config" files in the system configuration file hierarchy are in fact a software-managed database, so we should not edit what appear to be plain text configuration files, but simply export them to a text file, carefully edit the export of the database, delete the entire config file hierarchy, and then reimport the database.

If I may make a minor feature suggestion: whenever I get a file into /etc that needs a special workflow, I like to put warnings  in the comments at the top of such files, advising that the file(s) shouldn't be edited by hand, and explaining the proper workflow. (The visudo command is a golden standard in this regard.)

djh@djh-p5510 ~> sudo head -3 /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#

Perhaps this is a consideration that is already on the roadmap?

Thanks,
-danny
 
--