LDAP integration

Thu Jan 11 02:10:48 UTC 2007

On Wed, 10 Jan 2007 17:10:36 -0800 (PST)
Lamont Granquist <lamont at scriptkiddie.org> wrote:

> 
> 
> On Wed, 10 Jan 2007, Vulpes Velox wrote:
> > On Wed, 10 Jan 2007 13:56:23 -0800
> > Doug Barton <dougb at FreeBSD.org> wrote:
> >> Lamont Granquist wrote:
> >>> Why are you doing this in the FreeBSD rc scripts directly?  Why
> >>> not install cfengine and work on making cfengine play better
> >>> with database-driven config?
> >>
> >> Indeed. For a "many systems" problem, cfengine is a great tool. I
> >> think the OP is more interested in the "dynamically configured
> >> laptop" problem, which is also an interesting/difficult one, but
> >> I don't think it's a good problem for LDAP to solve. It still
> >> feels like "I have LDAP that I want to use as a solution, so
> >> what problem can I point it at?" to me.
> >
> > Stuff like this is what LDAP truely shines for. It keeps
> > everything in a nicely organized manner that is easily accessible
> > and searchable.
> 
> I agree that database-driven config management is good.  I do not
> agree that LDAP is the best way to go about doing it since LDAP
> works best as a read-mostly directory service and not as an
> mixed-read/write database which is what I've seen these kinds of
> configuration management databases scale and turn into.  LDAP is
> great for stuff that barely ever changes. When you add SOX audit
> trails and error reporting and other junk into the database LDAP
> stops being appropriate.

Right. LDAP should not be used for logging at all. That is what SQL
is awesome for. :)

> I also don't understand the focus on dynamically
> generating /etc/rc.conf since that is actually not what I want in
> my database.  Inside my database I want to configure a machine as
> an ftp server or a web server and deal with the high-level roles
> that the machine plays.  In order to generate an rc.conf file I
> want to take the roles as inputs and construct the rc.conf file
> specific to the machine.

I am starting with rc.conf because it is a logical place to start for
what I want. I am not interested in the autoconfiguration stuff in
this project. Just reeling in the configuration, I am largely
focusing LDAP because it is what would be most handy in my situation,
but I am aiming at the idea of making that part is interchangable. I
plan to start work the actual parts, once I am happy with the schema.
That is going to take a bit of time to get worked out because there
are a few things to iron out. There is also a lot of attributes that
need to be defined.