UDS Maverick: Call for Blueprints for Ubuntu Server

Andreas Hasenack andreas at canonical.com
Wed Apr 28 17:32:27 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/28/2010 02:16 PM, Mark Foster wrote:
> On 04/28/2010 09:45 AM, Andreas Hasenack wrote:
>> with reasonable default ACLs, on which new LDAP
>> administrators could build on and have a starting place for whatever
>> setup they wanted
> Do you or will you consider having phpldapadmin as part of this 
> "starting place"

I don't know, I kind of think that phpldapadmin could have its own
bootstrapping/dit if it were pointed to a clean directory. I would like
to stay as frontend-agnostic as possible.

> Because, administering LDAP from the command line can have quite steep 
> learning curve vs. using the (web) gui once the dir servers is ready for 
> that.

Having said that, I would certainly be interested in problems with my
DIT and phpldapadmin or any other tool out there. I can think of one
already which might break stuff out there, and that is the choosing of
groups I made which follows RFC2307bis, and not RFC2307. Not all tools
can cope with that (like smbldaptools, although it's trivial to fix it).

> Also, if LDAP is to be integrated for the DNS, powerdns 
> (pdns-backend-ldap) does pretty well.

Could be. I guess I could have a different ldif for each dns
implementation, with its own schema.

In fact, one of the things we talked about in the past UDSs, and which
was done on the slapd package, is to make it so that other packages
could hook into slapd and fill it with their schema and trees. This is
possible because of the LDAPI authentication we have in place, which
maps root (unix id 0) to the ldap admin, so any client that runs as root
and connects to the LDAPI socket will be the ldap admin. Thus a package
would be able to, say, inspect the existing schema, upload its own, etc.
Think about that pdns-backend-ldap package asking in its postinst
permission to configure the locally running ldap server for its needs,
for example (with the default answer being "no, don't do that").

While some (most?) seasoned ldap admins would run away crying just by
the thought of that, surely LDAP newbies would appreciate it.

- -- 
Andreas Hasenack
andreas at canonical.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvYcSkACgkQeEJZs/PdwpBroACfbQbqBPtax4HhAyuZJ5wM2dAI
6jUAnRpmlB+C3d22VMOjFuSwzWKrQQrm
=McG6
-----END PGP SIGNATURE-----

More information about the ubuntu-server mailing list