I have a straight up bash script at https://github.com/dafydd2277/systemAdmin/blob/master/ldap/99_389dsCleanInstall.sh <https://github.com/dafydd2277/systemAdmin/blob/master/ldap/99_389dsCleanInstall.sh> that exactly this. You're welcome to use as a starting point.
David > On Jan 10, 2016, at 08:43, Charlie Mordant <[email protected]> wrote: > > Hi census experts! > > At first, I wanted to thank you for that wonderful technology, providing > secure (tls ready, acl ready, clusterable) product: you're the only one > driving annuary (directory) as mature as this. > > I'm encountering an untraditional issue: I'm trying to make a kind of cloud > service all ldap centric: all my services are consuming ldap to give user > credentials (jenkins, webmail, nexus, etc...). > > I'm able to make a first-time ldap installation that fits all my needs but > not able to makes it repeatable. > > The issues are that: > * docker image are really difficult to tackle: > mains parts are on the same db: netscaperoot things, ssl configuration, > maxbersize, as well as the users db (dc=mydn, dc=people), so splitting > concerns are difficult. > * remove-ds.pl <http://remove-ds.pl/> then setup-ds.pl <http://setup-ds.pl/> > does not make admin-ds recognizable within the new ldap. > * remove-ds-admin.pl <http://remove-ds-admin.pl/> removes some rpm mandatory > files, so yum erase (389-ds-base, 389-admin, 389-adminutil), yum install is > mandatory (but it looks like its not sufficient, and can cause some side > effect: removing other deps). > > So how can I make a repeatable 389 install? > What I want to achieve: > * Install a 389 server importing a personal CA and certs > * Securizing access (my cloud has prices depending on the number of users) so > my cloud adds users to 'dc=mycompany,ou=people, ou=company' but company can > add users to 'dc=mycompany,ou=people, ou=webmail,ou=contacts' > * Making it repeatable (exporting contacts data, yum erase 389-ds, yum > install 389-ds then configure stuff and importing contacts data should lead > to the same result as before), and I'm not able to do that after 3 month of > work. > > I've a sample Opscode Chef recipe mounting all this stuff, but > re-provisioning machine leads to errors, I can give access to one of your dev > if wanted. > > Can 389 can be improved to uninstall ds then reinstall an installation > (without the admin things) and being as complete as before? > > > Best regards > > -- > Charlie Mordant > > Full OSGI/EE stack made with Karaf: > https://github.com/OsgiliathEnterprise/net.osgiliath.parent > <https://github.com/OsgiliathEnterprise/net.osgiliath.parent> > -- > 389 users mailing list > 389-users@%(host_name)s > http://lists.fedoraproject.org/admin/lists/[email protected] -- David - Offbeat dafydd - Online http://pgp.mit.edu/ ----5----1----5----2----5----3----5----4----5----5----5----6----5----7-- The most dangerous phrase is, 'We've always done it this way.' –RADM Grace Hopper
signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/[email protected]
