[Fedora-directory-users] can I ditch the gui?

Tue Aug 12 15:50:24 UTC 2008

Russell Miller wrote:
>
> Hi all,
>
> OK, I run a moderate sized LDAP system that I inherited.  It's been 
> broken to one degree or another for literally years and it's my task 
> to fix it.  I've already upgraded every single server to redhat-ds 8, 
> and am in the process of nailing down a few bugs that we have never 
> been able to address.  Not being able to change expired passwords, etc.
>
> I would like to integrate setup with, say puppet.  I would like to be 
> able to say "OK, here's a host, let's build a working LDAP setup, 
> *without human intervention*.".  It seems to be impossible.  Many 
> steps I can't do except for through the GUI, the SSL key setup (which 
> I can do via command line using certutil though it doesn't seem to be 
> documented and I don't know yet how to do a request) is very awkward, 
> and basically setting up a new server is currently an intensely manual 
> process.
>
> I don't like this.
>
> I would like a command like utility of some kind where I can do 
> everything the admin gui can do - turning options on and off, etc.  
> And I would like just one tool, not having to go around to all sorts 
> of different places and change entries here and there.  I know it can 
> be done because the gui does it.  How about making it admin friendly?
>
> Or am I missing something and it's already there?
You can do everything from the command line, including everything the 
GUI does.  The documentation describes how to do a task with the GUI and 
how to do that same task with the command line in most cases [1].  If 
you need more information about the configuration entries and 
attributes, we have a reference manual [2].  The crypto/SSL commands are 
not well documented, but you can use the -H argument to get some help 
with certutil, pk12util, and modutil, as well as the examples on the 
wiki [3].

If you decide to go this route, I strongly encourage you to use a 
scripting language.  I prefer python and python-ldap - you can do a 
great deal of work quickly with these.  I've also used perl in the 
past.  If you're interested, I have a collection of scripts I use to 
perform various tasks.

Unfortunately, there is not one single command you can use to do 
everything (e.g. dsadmin setupreplication host1 host2 or something like 
that).  The freeipa.org project has been established to make LDAP, NIS, 
Kerberos, and eventually SSL easy to setup and deploy.  While they may 
not have all of the pieces, they have come a long way, and depending on 
what your deployment looks like, you might be able to use freeipa.org to 
easily and quickly set up your environment.  http://www.freeipa.org/

1 - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html
2 - http://www.redhat.com/docs/manuals/dir-server/cli/8.0/index.html
3 - http://directory.fedoraproject.org/wiki/Howto:SSL
>
> Thanks,
>
> --Russell
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080812/df4db15f/attachment.bin>