Hi David, hi Alan,
I've the nearly same approach, well done for these scripts ;) (I did about
the same).
But don't you think it would be far easier to do this kind of things:
* remove-ds-admin.pl -y -f -y
* yum remove -y 389-ds-base-base-libs
* yum install 389-ds 389-admin 389-adminutil
* setup-ds-admin.pl -s -f /tmp/ldap.inf
* stuff...
But that would be a 389-ds task
Regards,
2016-01-10 18:54 GMT+01:00 David Barr <dafydd(a)dafydd.com>:
I have a straight up bash script at
https://github.com/dafydd2277/systemAdmin/blob/master/ldap/99_389dsCleanI... that
exactly this. You're welcome to use as a starting point.
David
On Jan 10, 2016, at 08:43, Charlie Mordant <cmordant1(a)gmail.com> wrote:
Hi census experts!
At first, I wanted to thank you for that wonderful technology, providing
secure (tls ready, acl ready, clusterable) product: you're the only one
driving annuary (directory) as mature as this.
I'm encountering an untraditional issue: I'm trying to make a kind of
cloud service all ldap centric: all my services are consuming ldap to give
user credentials (jenkins, webmail, nexus, etc...).
I'm able to make a first-time ldap installation that fits all my needs but
not able to makes it repeatable.
The issues are that:
* docker image are really difficult to tackle:
mains parts are on the same db: netscaperoot things, ssl
configuration, maxbersize, as well as the users db (dc=mydn, dc=people), so
splitting concerns are difficult.
* remove-ds.pl then setup-ds.pl does not make admin-ds recognizable
within the new ldap.
* remove-ds-admin.pl removes some rpm mandatory files, so yum erase
(389-ds-base, 389-admin, 389-adminutil), yum install is mandatory (but it
looks like its not sufficient, and can cause some side effect: removing
other deps).
So how can I make a repeatable 389 install?
What I want to achieve:
* Install a 389 server importing a personal CA and certs
* Securizing access (my cloud has prices depending on the number of users)
so my cloud adds users to 'dc=mycompany,ou=people, ou=company' but company
can add users to 'dc=mycompany,ou=people, ou=webmail,ou=contacts'
* Making it repeatable (exporting contacts data, yum erase 389-ds, yum
install 389-ds then configure stuff and importing contacts data should
lead to the same result as before), and I'm not able to do that after 3
month of work.
I've a sample Opscode Chef recipe mounting all this stuff, but
re-provisioning machine leads to errors, I can give access to one of your
dev if wanted.
Can 389 can be improved to uninstall ds then reinstall an installation
(without the admin things) and being as complete as before?
Best regards
--
Charlie Mordant
Full OSGI/EE stack made with Karaf:
https://github.com/OsgiliathEnterprise/net.osgiliath.parent
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
David - Offbeat
dafydd - Online
http://pgp.mit.edu/
----5----1----5----2----5----3----5----4----5----5----5----6----5----7--
The most dangerous phrase is, 'We've always done it this way.' –RADM Grace
Hopper
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org