Adding schemas and acls to LDAP in a non-intrusive way

Isaac Clerencia isaac at
Fri Feb 1 14:21:01 UTC 2008

Hi there!

I am working on the integration of eBox into Ubuntu and we are having a problem
to add schemas and acls to LDAP in a policy conformant way.

The first obvious option to do it is directly editing the
/etc/ldap/slapd.conf, we would
obviously ask for permission from the user before doing so.

The second option would be having a mechanism such as the one that
Soren proposed
in the Pkg OpenLDAP mailing list[0].

I guess this mechanism wasn't included in the Ubuntu packages because now slapd
supports a much nicer way to do such a thing using a configuration directory, as
described in the OpenLDAP documentation[1].

Our problem to use this approach is that by default Ubuntu won't read
the configuration
from a directory, but from the old style /etc/ldap/slapd.conf file,
unless we edit
/etc/default/slapd to set the SLAPD_CONF variable.

Right now we don't have any option to add schemas or acls to LDAP
without touching
a configuration file. We wonder if it would be possible to change the
default LDAP behaviour
to use the new configuration style (after all that's what upstream
seems to want) or at least
provide a way to enable it without having to modify any configuration
file (i.e., it checks for
a /etc/ldap/slapd.d/ directory and if it exists it uses it).

So the options we have are:
1) Just overwrite /etc/ldap/slapd.conf asking for permission
2) Add a mechanism to add schemas and acls like the one proposed by Soren
3) Modify /etc/default/slapd asking for permission so slapd uses the
directory configuration style
4) Modify the package so it uses the directory configuration style by
default or provides a way
to enable it without messing with configuration files.

So ... is 4) or 2) possible? otherwise ... which of the other options
looks more reasonable?

Best regards

Isaac Clerencia at Warp Networks,
Work: <isaac at>   | Debian: <isaac at>

More information about the ubuntu-server mailing list