slapd with cn=config - some suggestions
pk+debs at yomu.de
Tue Aug 26 11:14:14 BST 2008
[CCing pkg-openldap-devel to keep all discussion in one place - sorry
should have done this sooner.]
Mathias Gug wrote:
>> The script currently loads schemas into cn=config setups via slapadd,
>> doing this via an LDAP connection is planned for the future if I can
>> come up with a good infrastructure to authenticate this kind of connection.
> Using slapadd is only safe when the slapd daemon is not running.
thats why I stop slapd before the installation and restart it directly
> supporting schema addition while slapd is running (via ldapadd) is
> important. As for authentication, prompting for the administrator
> credentials (dn & password) is the best option IMO.
The question would be if it's OK to cache these somewhere - I would hate
to ask that question repeatedly during one apt run.
Though this would only be a problem if other packages rely on the
update-ldap-schema script to install their schemas.
So i guess I shouldn't worry about it ATM.
(Maybe at a later point in time, the admin will have kerberos
Doing this online would have another advantage: it becomes easier to do
schema updates (adding attributes, changing objectclasses) while keeping
the cn=config tree consistent. But, on the other hand, it becomes
completely impossible to remove schemas, even at explicit administrator
Then again, the current implementation of offline removal is pretty
So I guess I need to collect some more opinions on "best practices". I
would be fine with disallowing the removal of an already-installed
schema completely, if nobody else misses it. (This would ensure
consistency with ACLs etc.) But I'm not sure what Debian policy has to
say about that.
More information about the ubuntu-server