ldap cn=config/slapd.d querying

Da Rock rock_on_the_web at comcen.com.au
Wed Mar 4 03:17:05 PST 2009

On Thu, 2009-02-26 at 13:42 +1000, Da Rock wrote:
> This may be a stupid question, but I haven't been able to alight on the
> answer to this.
> I'm investigating using dynamic configuration (cn=config or slapd.d
> system- whichever term you like) for an ldap service, but as far as I
> could see there is no way to change the setting on the fly through the
> ldap itself: is this correct?
> Is it dynamic in that you can adjust the config manually correcting the
> ldif files in the slapd.d directory knowing that the ldap server will
> pick up the changes immediately? Or is there a way that an ldap client
> (ldapmodify, luma, diradm, whatever) can access the config and change it
> that way?
> Thanks in advance for humouring my dementia... :)

Ok, so it did turn out to be a stupid question: the config is in a
separate database, what is the real stopper to changing the config
through ldap tools is the suffix. This limits the access to only the
database not the config. So the answer to this is that the config MUST
be changed via the ldif files in the directory (on the fly, that is).

An interesting observation though: ldap can use SASL (gssapi = kerberos)
to auth user access, and kerberos can use ldap as a backend... chicken
and egg- slapd needs to auth with kerberos on startup as a service and
kerberos could need to access ldap to reach the keys :) (if setup to use
the ldap to store them of course)

So what happens in a case like that? Does ldap startup enough to allow
kerberos to access the backend? Or does slapd keep retrying to auth
until it can? Or do we end up in an endless loop? :)

I could probably keep coming up with more (my research into both these
has turned up some interesting information)...

More information about the freebsd-questions mailing list