5:41 a.m.
In working to have the Samba4 test environment configure fedora-ds. I'm
using ds_newinst.pl, but it starts the DS once it is created.
According to that script, I could modify it, but:
# if for some reason you do not want the server started after instance
creation
# the following line can be commented out - NOTE that if you are
creating the
# Configuration DS, it will be started anyway
$cgiargs{start_server} = 1;
As I understand it, a new standalone install will create the
configuration DS.
Aside from wanting a separate configure/start sequence, I would like to
be able to modify the dse.ldif to fix up some parameters, and redo the
schema, before the slapd process starts.
For the parameter modification, another option might be to have a
'modify ldif' in addition to the 'initial ldif', but I still need a way
to clean out the schema.
Thoughts?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
9:49 a.m.
Andrew Bartlett wrote:
In working to have the Samba4 test environment configure fedora-ds.
I'm
using ds_newinst.pl, but it starts the DS once it is created.
According to that script, I could modify it, but:
# if for some reason you do not want the server started after instance
creation
# the following line can be commented out - NOTE that if you are
creating the
# Configuration DS, it will be started anyway
$cgiargs{start_server} = 1;
As I understand it, a new standalone install will create the
configuration DS.
No, it won't.
I'm going to add a start_server option to the .inf file so you won't
have to hack ds_newinst.pl anymore.
Is it a problem that the server is started as a consequence of creating
the instance?
Aside from wanting a separate configure/start sequence, I would like
to
be able to modify the dse.ldif to fix up some parameters, and redo the
schema, before the slapd process starts.
You could do all of this with ldapmodify after the server starts, but . . .
For the parameter modification, another option might be to have a
'modify ldif' in addition to the 'initial ldif', but I still need a way
to clean out the schema.
. . . this would be quite hard to do with the existing .inf file +
ds_newinst.pl + ds_newinst (binary). The intention of ds_newinst.pl was
to just convert the .inf file format into the format used by the
ds_newinst binary (C code) which has a lot of code shared with ds_create
which is used to do a lot of admin server/console related stuff, in
addition to configuring the instance.
Thoughts?
I understand where you are coming from. With openldap, you just have to
provide your own hand tuned slapd.conf file - nothing else really is
required. That also controls what schema is loaded.
It's not so easy to do the same thing with fedora ds. For starters, the
dse.ldif file is much more complex (but in your case, there are only a
few options required to be tweaked). And the schema handling (i.e.
include /path/to/core.schema ; include /path/to/posix.schema) is
completely out of band with this process (well, not quite - you can
override the nsslapd-schemadir in cn=config).
So how would you like for this to work? What would be easiest for you?
Andrew Bartlett
------------------------------------------------------------------------
--
Fedora-directory-devel mailing list
Fedora-directory-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
4:02 p.m.
On Fri, 2007-02-23 at 08:49 -0700, Richard Megginson wrote:
Andrew Bartlett wrote:
> In working to have the Samba4 test environment configure fedora-ds. I'm
> using ds_newinst.pl, but it starts the DS once it is created.
>
> According to that script, I could modify it, but:
>
> # if for some reason you do not want the server started after instance
> creation
> # the following line can be commented out - NOTE that if you are
> creating the
> # Configuration DS, it will be started anyway
> $cgiargs{start_server} = 1;
>
> As I understand it, a new standalone install will create the
> configuration DS.
>
No, it won't.
I'm going to add a start_server option to the .inf file so you won't
have to hack ds_newinst.pl anymore.
Thanks
Is it a problem that the server is started as a consequence of
creating
the instance?
> Aside from wanting a separate configure/start sequence, I would like to
> be able to modify the dse.ldif to fix up some parameters, and redo the
> schema, before the slapd process starts.
>
You could do all of this with ldapmodify after the server starts, but . . .
> For the parameter modification, another option might be to have a
> 'modify ldif' in addition to the 'initial ldif', but I still need a
way
> to clean out the schema.
>
. . . this would be quite hard to do with the existing .inf file +
ds_newinst.pl + ds_newinst (binary). The intention of ds_newinst.pl was
to just convert the .inf file format into the format used by the
ds_newinst binary (C code) which has a lot of code shared with ds_create
which is used to do a lot of admin server/console related stuff, in
addition to configuring the instance.
> Thoughts?
>
I understand where you are coming from. With openldap, you just have to
provide your own hand tuned slapd.conf file - nothing else really is
required. That also controls what schema is loaded.
Yeah. It really does show that I did this on OpenLDAP first...
It's not so easy to do the same thing with fedora ds. For
starters, the
dse.ldif file is much more complex (but in your case, there are only a
few options required to be tweaked). And the schema handling (i.e.
include /path/to/core.schema ; include /path/to/posix.schema) is
completely out of band with this process (well, not quite - you can
override the nsslapd-schemadir in cn=config).
So, yes, I suppose I'm just trying to turn Fedora DS into OpenLDAP, one
step at a time :-)
So how would you like for this to work? What would be easiest for
you?
A few things would be useful:
Firstly, for the path to the ldapi socket to be part of the inf file, so
I can make it identical between the two supported servers (just makes my
life easier).
If I can't get that, then I need to be able to modify the dse.inf before
it starts.
Slightly adjunct to this, i need a way to prevent the DS from binding to
anything except the unix domain socket (for security). ie, no IPv4
ports.
For the ds to be configured, but not started, so I can can copy out the
default schema, and replace it with just the core schema, and samba4's
schema.
Once I do all that, I would like to start the server for the first time,
knowing I've got full control over it's parameters.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
4:28 p.m.
New subject: [Fedora-directory-devel] Need to configure, but not start fedora-ds
Andrew Bartlett wrote:
Slightly adjunct to this, i need a way to prevent the DS from binding
to
anything except the unix domain socket (for security). ie, no IPv4
ports.
You _should_ be able to do this by specifying port 0
--
Pete
9:42 p.m.
New subject: [Fedora-directory-devel] Need to configure, but not start fedora-ds
On Fri, 2007-02-23 at 14:28 -0800, Pete Rowley wrote:
Andrew Bartlett wrote:
> Slightly adjunct to this, i need a way to prevent the DS from binding to
> anything except the unix domain socket (for security). ie, no IPv4
> ports.
>
You _should_ be able to do this by specifying port 0
Nope, doesn't work (at least for ds_newisnt.pl).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
1:10 p.m.
New subject: [Fedora-directory-devel] Need to configure, but not start fedora-ds
Andrew Bartlett wrote:
On Fri, 2007-02-23 at 14:28 -0800, Pete Rowley wrote:
> Andrew Bartlett wrote:
>
>> Slightly adjunct to this, i need a way to prevent the DS from binding to
>> anything except the unix domain socket (for security). ie, no IPv4
>> ports.
>>
>>
> You _should_ be able to do this by specifying port 0
>
Nope, doesn't work (at least for ds_newisnt.pl).
How does it fail? Logs?
Note you'll need at least one transport.
--
Pete
2:42 p.m.
New subject: [Fedora-directory-devel] Need to configure, but not start fedora-ds
On Mon, 2007-02-26 at 11:10 -0800, Pete Rowley wrote:
Andrew Bartlett wrote:
> On Fri, 2007-02-23 at 14:28 -0800, Pete Rowley wrote:
>
>> Andrew Bartlett wrote:
>>
>>> Slightly adjunct to this, i need a way to prevent the DS from binding to
>>> anything except the unix domain socket (for security). ie, no IPv4
>>> ports.
>>>
>>>
>> You _should_ be able to do this by specifying port 0
>>
>
> Nope, doesn't work (at least for ds_newisnt.pl).
>
>
How does it fail? Logs?
Sorry, I know better than to be like that. ds_newinst.pl thinks that
the required parameter (ServerPort) isn't specified when it is set to 0.
Note you'll need at least one transport.
That I hoped would be ldapi://
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
4:50 p.m.
New subject: [Fedora-directory-devel] Need to configure, but not start fedora-ds
Andrew Bartlett wrote:
On Mon, 2007-02-26 at 11:10 -0800, Pete Rowley wrote:
> Andrew Bartlett wrote:
>
>> On Fri, 2007-02-23 at 14:28 -0800, Pete Rowley wrote:
>>
>>
>>> Andrew Bartlett wrote:
>>>
>>>
>>>> Slightly adjunct to this, i need a way to prevent the DS from binding to
>>>> anything except the unix domain socket (for security). ie, no IPv4
>>>> ports.
>>>>
>>>>
>>>>
>>> You _should_ be able to do this by specifying port 0
>>>
>>>
>> Nope, doesn't work (at least for ds_newisnt.pl).
>>
>>
>>
> How does it fail? Logs?
>
Sorry, I know better than to be like that. ds_newinst.pl thinks that
the required parameter (ServerPort) isn't specified when it is set to 0.
Ah ok, try setting it to 0 via ldap then do a server restart - lets see
if at least the server is behaving.
> Note you'll need at least one transport.
>
That I hoped would be ldapi://
me too
Andrew Bartlett
------------------------------------------------------------------------
--
Fedora-directory-devel mailing list
Fedora-directory-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
--
Pete
7:10 p.m.
New subject: [Fedora-directory-devel] Need to configure, but not start fedora-ds
On Mon, 2007-02-26 at 14:50 -0800, Pete Rowley wrote:
Andrew Bartlett wrote:
> On Mon, 2007-02-26 at 11:10 -0800, Pete Rowley wrote:
>
>> Andrew Bartlett wrote:
>>
>>> On Fri, 2007-02-23 at 14:28 -0800, Pete Rowley wrote:
>>>
>>>
>>>> Andrew Bartlett wrote:
>>>>
>>>>
>>>>> Slightly adjunct to this, i need a way to prevent the DS from
binding to
>>>>> anything except the unix domain socket (for security). ie, no IPv4
>>>>> ports.
>>>>>
>>>>>
>>>>>
>>>> You _should_ be able to do this by specifying port 0
>>>>
>>>>
>>> Nope, doesn't work (at least for ds_newisnt.pl).
>>>
>>>
>>>
>> How does it fail? Logs?
>>
>
> Sorry, I know better than to be like that. ds_newinst.pl thinks that
> the required parameter (ServerPort) isn't specified when it is set to 0.
>
>
Ah ok, try setting it to 0 via ldap then do a server restart - lets see
if at least the server is behaving.
It doesn't seem to work:
Editing dse.ldif manually to set a 0 port, I now get:
(console)
[27/Feb/2007:12:08:19 +1100] - Information: Non-Secure Port Disabled,
server only contactable via secure port
Server failed to start !!! Please check errors log for problems
(logs)
[27/Feb/2007:12:08:19 +1100] - Information: Non-Secure Port Disabled,
server only contactable via secure port
[27/Feb/2007:12:08:20 +1100] - Fedora-Directory/1.1.0a2 B2007.055.926
starting up
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
3:11 p.m.
New subject: [Fedora-directory-devel] Need to configure, but not start fedora-ds
Andrew Bartlett wrote:
<snip>
A few things would be useful:
Firstly, for the path to the ldapi socket to be part of the inf file, so
I can make it identical between the two supported servers (just makes my
life easier).
If I can't get that, then I need to be able to modify the dse.inf before
it starts.
Slightly adjunct to this, i need a way to prevent the DS from binding to
anything except the unix domain socket (for security). ie, no IPv4
ports.
For the ds to be configured, but not started, so I can can copy out the
default schema, and replace it with just the core schema, and samba4's
schema.
ds_newinst requires the server to be started to add the default acis in
cn=config, cn=schema, cn=monitor and elsewhere. So if the server is not
started by ds_newinst, these acis will not be present, and the server
will have no access except for read only access to the root DSE. Is
this ok?
Once I do all that, I would like to start the server for the first
time,
knowing I've got full control over it's parameters.
Andrew Bartlett
------------------------------------------------------------------------
--
Fedora-directory-devel mailing list
Fedora-directory-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
3:40 p.m.
New subject: [Fedora-directory-devel] Need to configure, but not start fedora-ds
On Tue, 2007-02-27 at 14:11 -0700, Richard Megginson wrote:
Andrew Bartlett wrote:
> <snip>
> A few things would be useful:
>
> Firstly, for the path to the ldapi socket to be part of the inf file, so
> I can make it identical between the two supported servers (just makes my
> life easier).
>
> If I can't get that, then I need to be able to modify the dse.inf before
> it starts.
>
> Slightly adjunct to this, i need a way to prevent the DS from binding to
> anything except the unix domain socket (for security). ie, no IPv4
> ports.
>
> For the ds to be configured, but not started, so I can can copy out the
> default schema, and replace it with just the core schema, and samba4's
> schema.
>
ds_newinst requires the server to be started to add the default acis in
cn=config, cn=schema, cn=monitor and elsewhere. So if the server is not
started by ds_newinst, these acis will not be present, and the server
will have no access except for read only access to the root DSE. Is
this ok?
I'll live. Any progress on the other parts of this (ServerPort 0, ldapi
path specification)?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
3:49 p.m.
New subject: [Fedora-directory-devel] Need to configure, but not start fedora-ds
Andrew Bartlett wrote:
On Tue, 2007-02-27 at 14:11 -0700, Richard Megginson wrote:
> Andrew Bartlett wrote:
>
>> <snip>
>> A few things would be useful:
>>
>> Firstly, for the path to the ldapi socket to be part of the inf file, so
>> I can make it identical between the two supported servers (just makes my
>> life easier).
>>
>> If I can't get that, then I need to be able to modify the dse.inf before
>> it starts.
>>
>> Slightly adjunct to this, i need a way to prevent the DS from binding to
>> anything except the unix domain socket (for security). ie, no IPv4
>> ports.
>>
>> For the ds to be configured, but not started, so I can can copy out the
>> default schema, and replace it with just the core schema, and samba4's
>> schema.
>>
>>
> ds_newinst requires the server to be started to add the default acis in
> cn=config, cn=schema, cn=monitor and elsewhere. So if the server is not
> started by ds_newinst, these acis will not be present, and the server
> will have no access except for read only access to the root DSE. Is
> this ok?
>
I'll live. Any progress on the other parts of this (ServerPort 0, ldapi
path specification)?
Yes. Testing now.
Andrew Bartlett
------------------------------------------------------------------------
--
Fedora-directory-devel mailing list
Fedora-directory-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
6264
days inactive
6269
days old
389-devel@lists.fedoraproject.org
11 comments
3 participants
participants (3)
-
Andrew Bartlett -
Pete Rowley -
Rich Megginson