Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 04 Mar 2009 21:17:02 +1000
From:      Da Rock <rock_on_the_web@comcen.com.au>
To:        freebsd-questions@freebsd.org
Subject:   Re: ldap cn=config/slapd.d querying
Message-ID:  <1236165423.6517.21.camel@laptop1.herveybayaustralia.com.au>
In-Reply-To: <1235619755.47624.18.camel@laptop1.herveybayaustralia.com.au>
References:  <1235619755.47624.18.camel@laptop1.herveybayaustralia.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 2009-02-26 at 13:42 +1000, Da Rock wrote:
> This may be a stupid question, but I haven't been able to alight on the
> answer to this.
> 
> I'm investigating using dynamic configuration (cn=config or slapd.d
> system- whichever term you like) for an ldap service, but as far as I
> could see there is no way to change the setting on the fly through the
> ldap itself: is this correct?
> 
> Is it dynamic in that you can adjust the config manually correcting the
> ldif files in the slapd.d directory knowing that the ldap server will
> pick up the changes immediately? Or is there a way that an ldap client
> (ldapmodify, luma, diradm, whatever) can access the config and change it
> that way?
> 
> Thanks in advance for humouring my dementia... :)

Ok, so it did turn out to be a stupid question: the config is in a
separate database, what is the real stopper to changing the config
through ldap tools is the suffix. This limits the access to only the
database not the config. So the answer to this is that the config MUST
be changed via the ldif files in the directory (on the fly, that is).

An interesting observation though: ldap can use SASL (gssapi = kerberos)
to auth user access, and kerberos can use ldap as a backend... chicken
and egg- slapd needs to auth with kerberos on startup as a service and
kerberos could need to access ldap to reach the keys :) (if setup to use
the ldap to store them of course)

So what happens in a case like that? Does ldap startup enough to allow
kerberos to access the backend? Or does slapd keep retrying to auth
until it can? Or do we end up in an endless loop? :)

I could probably keep coming up with more (my research into both these
has turned up some interesting information)...

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1236165423.6517.21.camel>