slapd with cn=config - some suggestions
Mathias Gug
mathiaz at ubuntu.com
Tue Aug 26 02:31:07 UTC 2008
Hi,
On Tue, Aug 26, 2008 at 02:51:25AM +0200, P. Kaluza wrote:
> On the Debian side of things, this migration is still being prepared.
> One thing I am working currently on is a package shipping additional
> common LDAP schemas, as well a a script to load these into slapd on
> admin request.
>
> In the interest of brevity I'll just refer you to
> http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/2008-August/002980.html
> and
> http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/2008-August/003015.html
> for a design rationale.
>
> The script currently loads schemas into cn=config setups via slapadd,
> doing this via an LDAP connection is planned for the future if I can
> come up with a good infrastructure to authenticate this kind of connection.
Using slapadd is only safe when the slapd daemon is not running. This
use case is only found when the slapd package is being upgraded. So
supporting schema addition while slapd is running (via ldapadd) is
important. As for authentication, prompting for the administrator
credentials (dn & password) is the best option IMO.
--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com
More information about the ubuntu-server
mailing list