On Thu, 30 Nov 2023 at 16:06, Bastian Tweddell
<b.twedd...@fz-juelich.de> wrote:
Please also note [1]:
```
The older style slapd.conf(5) file is still supported, but its use is
deprecated and support for it will be withdrawn in a future OpenLDAP
release.
```
Is this already on the roadmap when this will happen?
I really hope this never happens.
The one and only advantage I see to OLC is that you can make some
changes on the fly, without restarting the server. But is this ever
necessary, or even advisable in a production environment?
In production, people want LDAP servers to be perfectly stable and
reliable software-as-an-appliances. They will run 10 (even 20) years
this way.
Production configuration should be immutable. The configuration should
not need to change from day to day within production. And even when it
does, if clients are configured correctly, there is the ability to
restart individual servers without impacting the entire service.
As for sync'ing cn=config, I've tried it. I don't see the advantage of
it over having one configuration file (or maybe one each for providers
and another for consumers) and then deploying each from source control,
and controlled with file signature monitoring, for extra security.
You can have the best of both worlds by enabling the config database,
but not converting to it. This "converts" your slapd.conf into the
memory-based OLC which can be updated on the fly, but not persisted. To
me this is the ideal, but then even still, within many of theses setups,
I have never needed to use the OLC for on-the-fly-changes, so in
retrospect, do not see the necessity of this.
In summary, I see great value to continuing to support the slapd.conf
file-based config, especially for production, and I see a lot of risk
induced by deprecating it and forcing people to use OLC. OpenLDAP
project, would you please consider to not deprecate slapd.conf?
Chris Paul | Rex Consulting | https://www.rexconsulting.net
