Adding schemas and acls to LDAP in a non-intrusive way
isaac at warp.es
Fri Feb 1 14:21:01 UTC 2008
I am working on the integration of eBox into Ubuntu and we are having a problem
to add schemas and acls to LDAP in a policy conformant way.
The first obvious option to do it is directly editing the
/etc/ldap/slapd.conf, we would
obviously ask for permission from the user before doing so.
The second option would be having a mechanism such as the one that
in the Pkg OpenLDAP mailing list.
I guess this mechanism wasn't included in the Ubuntu packages because now slapd
supports a much nicer way to do such a thing using a configuration directory, as
described in the OpenLDAP documentation.
Our problem to use this approach is that by default Ubuntu won't read
from a directory, but from the old style /etc/ldap/slapd.conf file,
unless we edit
/etc/default/slapd to set the SLAPD_CONF variable.
Right now we don't have any option to add schemas or acls to LDAP
a configuration file. We wonder if it would be possible to change the
default LDAP behaviour
to use the new configuration style (after all that's what upstream
seems to want) or at least
provide a way to enable it without having to modify any configuration
file (i.e., it checks for
a /etc/ldap/slapd.d/ directory and if it exists it uses it).
So the options we have are:
1) Just overwrite /etc/ldap/slapd.conf asking for permission
2) Add a mechanism to add schemas and acls like the one proposed by Soren
3) Modify /etc/default/slapd asking for permission so slapd uses the
directory configuration style
4) Modify the package so it uses the directory configuration style by
default or provides a way
to enable it without messing with configuration files.
So ... is 4) or 2) possible? otherwise ... which of the other options
looks more reasonable?
Isaac Clerencia at Warp Networks, http://www.warp.es
Work: <isaac at warp.es> | Debian: <isaac at debian.org>
More information about the ubuntu-server