From owner-freebsd-questions@FreeBSD.ORG Wed Mar 4 11:17:05 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 30154106566C for ; Wed, 4 Mar 2009 11:17:05 +0000 (UTC) (envelope-from rock_on_the_web@comcen.com.au) Received: from angel.comcen.com.au (angel.comcen.com.au [203.23.236.69]) by mx1.freebsd.org (Postfix) with ESMTP id EBBB58FC12 for ; Wed, 4 Mar 2009 11:17:04 +0000 (UTC) (envelope-from rock_on_the_web@comcen.com.au) Received: from [192.168.0.192] (unknown [202.172.126.254]) by angel.comcen.com.au (Postfix) with ESMTP id B0A485C2F21C for ; Wed, 4 Mar 2009 22:18:30 +1100 (EST) From: Da Rock To: freebsd-questions@freebsd.org In-Reply-To: <1235619755.47624.18.camel@laptop1.herveybayaustralia.com.au> References: <1235619755.47624.18.camel@laptop1.herveybayaustralia.com.au> Content-Type: text/plain Date: Wed, 04 Mar 2009 21:17:02 +1000 Message-Id: <1236165423.6517.21.camel@laptop1.herveybayaustralia.com.au> Mime-Version: 1.0 X-Mailer: Evolution 2.24.5 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Re: ldap cn=config/slapd.d querying X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2009 11:17:05 -0000 On Thu, 2009-02-26 at 13:42 +1000, Da Rock wrote: > This may be a stupid question, but I haven't been able to alight on the > answer to this. > > I'm investigating using dynamic configuration (cn=config or slapd.d > system- whichever term you like) for an ldap service, but as far as I > could see there is no way to change the setting on the fly through the > ldap itself: is this correct? > > Is it dynamic in that you can adjust the config manually correcting the > ldif files in the slapd.d directory knowing that the ldap server will > pick up the changes immediately? Or is there a way that an ldap client > (ldapmodify, luma, diradm, whatever) can access the config and change it > that way? > > Thanks in advance for humouring my dementia... :) Ok, so it did turn out to be a stupid question: the config is in a separate database, what is the real stopper to changing the config through ldap tools is the suffix. This limits the access to only the database not the config. So the answer to this is that the config MUST be changed via the ldif files in the directory (on the fly, that is). An interesting observation though: ldap can use SASL (gssapi = kerberos) to auth user access, and kerberos can use ldap as a backend... chicken and egg- slapd needs to auth with kerberos on startup as a service and kerberos could need to access ldap to reach the keys :) (if setup to use the ldap to store them of course) So what happens in a case like that? Does ldap startup enough to allow kerberos to access the backend? Or does slapd keep retrying to auth until it can? Or do we end up in an endless loop? :) I could probably keep coming up with more (my research into both these has turned up some interesting information)...