slapd with cn=config - some suggestions

P. Kaluza pk+debs at
Tue Aug 26 10:14:14 UTC 2008

[CCing pkg-openldap-devel to keep all discussion in one place - sorry 
should have done this sooner.]

Hi Mathias,

Mathias Gug wrote:
>> The script currently loads schemas into cn=config setups via slapadd, 
>> doing this via an LDAP connection is planned for the future if I can 
>> come up with a good infrastructure to authenticate this kind of connection.
> Using slapadd is only safe when the slapd daemon is not running.
thats why I stop slapd before the installation and restart it directly 

> So
> supporting schema addition while slapd is running (via ldapadd) is
> important. As for authentication, prompting for the administrator
> credentials (dn & password) is the best option IMO.
The question would be if it's OK to cache these somewhere - I would hate 
to ask that question repeatedly during one apt run.
Though this would only be a problem if other packages rely on the 
update-ldap-schema script to install their schemas.
So i guess I shouldn't worry about it ATM.
(Maybe at a later point in time, the admin will have kerberos 
credentials anyhow.)

Doing this online would have another advantage: it becomes easier to do 
schema updates (adding attributes, changing objectclasses) while keeping 
the cn=config tree consistent. But, on the other hand, it becomes 
completely impossible to remove schemas, even at explicit administrator 

Then again, the current implementation of offline removal is pretty 
flaky anyhow.

So I guess I need to collect some more opinions on "best practices". I 
would be fine with disallowing the removal of an already-installed 
schema completely, if nobody else misses it. (This would ensure 
consistency with ACLs etc.) But I'm not sure what Debian policy has to 
say about that.


More information about the ubuntu-server mailing list