slapd with cn=config - some suggestions
[CCing pkg-openldap-devel to keep all discussion in one place - sorry
should have done this sooner.]
Mathias Gug wrote:
>> The script currently loads schemas into cn=config setups via slapadd,
>> doing this via an LDAP connection is planned for the future if I can
>> come up with a good infrastructure to authenticate this kind of connection.
> Using slapadd is only safe when the slapd daemon is not running.
thats why I stop slapd before the installation and restart it directly
> supporting schema addition while slapd is running (via ldapadd) is
> important. As for authentication, prompting for the administrator
> credentials (dn & password) is the best option IMO.
The question would be if it's OK to cache these somewhere - I would hate
to ask that question repeatedly during one apt run.
Though this would only be a problem if other packages rely on the
update-ldap-schema script to install their schemas.
So i guess I shouldn't worry about it ATM.
(Maybe at a later point in time, the admin will have kerberos
Doing this online would have another advantage: it becomes easier to do
schema updates (adding attributes, changing objectclasses) while keeping
the cn=config tree consistent. But, on the other hand, it becomes
completely impossible to remove schemas, even at explicit administrator
Then again, the current implementation of offline removal is pretty
So I guess I need to collect some more opinions on "best practices". I
would be fine with disallowing the removal of an already-installed
schema completely, if nobody else misses it. (This would ensure
consistency with ACLs etc.) But I'm not sure what Debian policy has to
say about that.
ubuntu-server mailing list
More info: https://wiki.ubuntu.com/ServerTeam