eBox configuration management

Martin Pitt martin.pitt at ubuntu.com
Thu Jul 26 10:41:41 BST 2007 

Hi Soren,

Soren Hansen [2007-07-26 10:14 +0200]:
> > >  * We don't have to have intimate knowledge of each config file (which
> > >    we'd need to be able to make sure that any changes we make to
> > >    existing config files will result in e.g. a slapd instance that
> > >    behaves the way eBox expects it to).
> > 
> > Indeed this is a tricky problem to overcome, but the problems that
> > we'll get when not doing it are far worse IMHO.
> > 
> > I think there are some ways to mitigate this problem, though. After
> > all, debconf-based configuration has the very same problem, and the
> > common practice is to have the package ship static conffiles with
> > defaults which work everywhere, and factor out the variable bits into
> > a default file which is managed by the maintainer scripts and trivial
> > to parse/write. This approach should work equally well for ebox, I
> > think. 
> 
> Well.. Yes. The problem just doesn't lie within eBox' configuration, but
> rather (e.g.) slapd.conf. The default slapd config does not (AFAICS)
> provide any simple means for adding new schemas and/or ACL's. I'm
> thinking of adding a "include /etc/ldap/schemas/extras.conf" line to the
> default slapd and provide a update-slapd-schemas script that
> adds/removes include lines to that file. That would make it trivially
> easy for eBox to add/remove new schemas. Something similar would be done
> for ACL's.

Ah, it seems that slapd is particularly nasty to configure then :-/ .

Your solution sounds good to me indeed, and would not only make it
easier/possible to configure it with ebox, but probably also easier to
configure it by hand or with debconf. 

This might be more work initially, but I still believe it will pay off
in the long term, especially if we can convince Debian to adopt the
configuration scheme changes.

> > Given our use case for ebox, I think it is absolutely adequate if ebox
> > checks for modified conffiles [1] and refuses to change it if it was
> > modified by the admin (either 'at all', or where possible, 'in a way
> > that ebox cannot handle').
> 
> Yes, I was working on a patch that could determine if the
> /etc/ldap/slapd.conf on the system was the one the slapd postinst script
> had put there (removing the base dn and comparing md5sums), and if not,
> refuse to install the base ebox ldap module. That combined with the
> above changes to the slapd package would make me sleep well at night, I
> think.

... and me too. :-)

Thanks a lot for your work on this!

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20070726/0de19576/attachment.pgp

More information about the ubuntu-devel mailing list