From owner-freebsd-hackers@FreeBSD.ORG Wed Jan 10 22:12:57 2007 Return-Path: X-Original-To: freebsd-hackers@FreeBSD.org Delivered-To: freebsd-hackers@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1206616A523; Wed, 10 Jan 2007 22:12:57 +0000 (UTC) (envelope-from lamont@scriptkiddie.org) Received: from sploit.scriptkiddie.org (sploit.scriptkiddie.org [216.231.47.214]) by mx1.freebsd.org (Postfix) with ESMTP id B45C313C441; Wed, 10 Jan 2007 22:12:54 +0000 (UTC) (envelope-from lamont@scriptkiddie.org) Received: from sploit (sploit [216.231.47.214]) by sploit.scriptkiddie.org (8.12.11/8.12.11) with ESMTP id l0AMCsL3005633; Wed, 10 Jan 2007 14:12:54 -0800 (PST) Date: Wed, 10 Jan 2007 14:12:54 -0800 (PST) From: Lamont Granquist To: Doug Barton In-Reply-To: <45A56107.5050205@FreeBSD.org> Message-ID: References: <20070107190616.73dee7b0@vixen42> <45A1DE76.7000201@FreeBSD.org> <20070108185247.2b6e1f69@vixen42> <45A407D1.9030101@FreeBSD.org> <20070109184346.135e0bf4@vixen42> <45A56107.5050205@FreeBSD.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-hackers@FreeBSD.org, Vulpes Velox Subject: Re: LDAP integration X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jan 2007 22:12:57 -0000 On Wed, 10 Jan 2007, Doug Barton wrote: > Lamont Granquist wrote: > >> Why are you doing this in the FreeBSD rc scripts directly? Why not >> install cfengine and work on making cfengine play better with >> database-driven config? > > Indeed. For a "many systems" problem, cfengine is a great tool. I > think the OP is more interested in the "dynamically configured laptop" > problem, which is also an interesting/difficult one, but I don't think > it's a good problem for LDAP to solve. It still feels like "I have > LDAP that I want to use as a solution, so what problem can I point it > at?" to me. Yeah, I've also found LDAP to be more of a problem than a solution itself. Once the data starts to be dynamically updated and acquires a higher rate of change you no longer have a 'directory service' that you're working with and MySQL becomes a better tool than LDAP. System config has a way of creeeping into becoming more dynamic over time, particularly when you start logging audit trails in the database, success codes, error conditions, state machines, etc. >> And if you're looking specifically at the /etc/rc.conf config file, what >> would be more useful would be an /etc/rc.conf.d/ directory. > > Good news for you, we already support that. :) I agree that it makes a > great tool for the "many systems" problem, and could reasonably be > used for part of the "dynamic laptop" problem too. 7-current feature? I'm not seeing it in rc.conf(5) on my RELENG_6-ish system... >> That gets >> away from the need to tweak and edit the /etc/rc.conf config file with >> multiple inputs tweaking a single file. Instead you can drop whole >> orthogonal fragments into /etc/rc.conf.d/inetd to manage the inetd >> config which would make it more friendly to radmind-like approaches. It >> also makes it easier to use with cfengine since orthogonal cfengine >> modules aren't doing editfiles touches to the same files. > > Yes yes yes all around. At one time I suggested that we add support > for /usr/local/etc/rc.conf.d and encourage port authors to drop files > in there, but I didn't get much enthusiasm for it. Perhaps it's time > to revisit that? sounds great to me, but i don't have the CFT >> The >> /etc/cron.d directory that (most?) linux distros have is similarly very >> useful to drop in files that contain completely orthogonal config (and >> may be written by entirely different config management tools -- e.g. >> system config management vs. application deployment/management), and the >> /etc/periodic functionality is not flexible enough to cover all cases. > > That's not a bad idea, but you'll have to find some other huckleberry > to address it, I've got my hands full at the moment. yup, hear ya.