Russell Miller wrote:
OK, I run a moderate sized LDAP system that I inherited. It's been
broken to one degree or another for literally years and it's my task
to fix it. I've already upgraded every single server to redhat-ds 8,
and am in the process of nailing down a few bugs that we have never
been able to address. Not being able to change expired passwords, etc.
I would like to integrate setup with, say puppet. I would like to be
able to say "OK, here's a host, let's build a working LDAP setup,
*without human intervention*.". It seems to be impossible. Many
steps I can't do except for through the GUI, the SSL key setup (which
I can do via command line using certutil though it doesn't seem to be
documented and I don't know yet how to do a request) is very awkward,
and basically setting up a new server is currently an intensely manual
I don't like this.
I would like a command like utility of some kind where I can do
everything the admin gui can do - turning options on and off, etc.
And I would like just one tool, not having to go around to all sorts
of different places and change entries here and there. I know it can
be done because the gui does it. How about making it admin friendly?
Or am I missing something and it's already there?
You can do everything from
the command line, including everything the
GUI does. The documentation describes how to do a task with the GUI and
how to do that same task with the command line in most cases . If
you need more information about the configuration entries and
attributes, we have a reference manual . The crypto/SSL commands are
not well documented, but you can use the -H argument to get some help
with certutil, pk12util, and modutil, as well as the examples on the
If you decide to go this route, I strongly encourage you to use a
scripting language. I prefer python and python-ldap - you can do a
great deal of work quickly with these. I've also used perl in the
past. If you're interested, I have a collection of scripts I use to
perform various tasks.
Unfortunately, there is not one single command you can use to do
everything (e.g. dsadmin setupreplication host1 host2 or something like
that). The freeipa.org
project has been established to make LDAP, NIS,
Kerberos, and eventually SSL easy to setup and deploy. While they may
not have all of the pieces, they have come a long way, and depending on
what your deployment looks like, you might be able to use freeipa.org
easily and quickly set up your environment. http://www.freeipa.org/
1 - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html
2 - http://www.redhat.com/docs/manuals/dir-server/cli/8.0/index.html
3 - http://directory.fedoraproject.org/wiki/Howto:SSL
Fedora-directory-users mailing list