Quanah, all of this is with due respect - I really appreciate how much time
you've put into this project.
> They were never a multi-line string in slapd.conf, either. You could just
> format things to pretend they were multi-line strings.
But this is irrelevant within the scope of usability. As far as the sysadmin is
concerned, slapd.conf allowed multi-line strings for ACLs and schemas. This
yielded great readability as shown in the screenshots in the original message.
> I use Net::LDAP perl module to handle ACL updates. It's quite simple. The
> same thing could likely be done in python. Plus replacing an entire ACL in
> cn=config is trivial, since you can delete the existing ACL using the {#}
> value, and you can insert new ACLs trivially but using a weight of where you
> want to insert it.
I don't think writing a custom ldap client is "simple". Or, as David
Blank-Edelman requests, perhaps you have some example code showing how simple
it is? I have written ldap scripts in perl, python, and php - so I'm not asking
as a newbie. I'm having trouble imagining this being any more user-friendly
than a decent LDAP client like Apache Directory Studio - which still isn't as
readable as ACL .conf files. One could always pay special attention to the
script's output/ui to make it more readable, but that's not trivial; I think
something good would require ACL and schema parsing.
> You can optionally enable this at build time in OpenLDAP 2.4.30 for testing.
> As it is an experimental feature, YMMV.
I have seen that in various threads. I'm happy to test it, but primarily I'm
interested in cn=config entry deletion being a stable feature eventually. Just
my $0.02.
