FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Server Development

 
 
LinkBack Thread Tools
 
Old 08-26-2008, 02:31 AM
Mathias Gug
 
Default slapd with cn=config - some suggestions

Hi,

On Tue, Aug 26, 2008 at 02:51:25AM +0200, P. Kaluza wrote:
> On the Debian side of things, this migration is still being prepared.
> One thing I am working currently on is a package shipping additional
> common LDAP schemas, as well a a script to load these into slapd on
> admin request.
>
> In the interest of brevity I'll just refer you to
> http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/2008-August/002980.html
> and
> http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/2008-August/003015.html
> for a design rationale.
>
> The script currently loads schemas into cn=config setups via slapadd,
> doing this via an LDAP connection is planned for the future if I can
> come up with a good infrastructure to authenticate this kind of connection.


Using slapadd is only safe when the slapd daemon is not running. This
use case is only found when the slapd package is being upgraded. So
supporting schema addition while slapd is running (via ldapadd) is
important. As for authentication, prompting for the administrator
credentials (dn & password) is the best option IMO.

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-26-2008, 10:14 AM
"P. Kaluza"
 
Default slapd with cn=config - some suggestions

[CCing pkg-openldap-devel to keep all discussion in one place - sorry
should have done this sooner.]

Hi Mathias,

Mathias Gug wrote:
>> The script currently loads schemas into cn=config setups via slapadd,
>> doing this via an LDAP connection is planned for the future if I can
>> come up with a good infrastructure to authenticate this kind of connection.
>>
> Using slapadd is only safe when the slapd daemon is not running.
thats why I stop slapd before the installation and restart it directly
after.

> So
> supporting schema addition while slapd is running (via ldapadd) is
> important. As for authentication, prompting for the administrator
> credentials (dn & password) is the best option IMO.
>
The question would be if it's OK to cache these somewhere - I would hate
to ask that question repeatedly during one apt run.
Though this would only be a problem if other packages rely on the
update-ldap-schema script to install their schemas.
So i guess I shouldn't worry about it ATM.
(Maybe at a later point in time, the admin will have kerberos
credentials anyhow.)

Doing this online would have another advantage: it becomes easier to do
schema updates (adding attributes, changing objectclasses) while keeping
the cn=config tree consistent. But, on the other hand, it becomes
completely impossible to remove schemas, even at explicit administrator
request.

Then again, the current implementation of offline removal is pretty
flaky anyhow.

So I guess I need to collect some more opinions on "best practices". I
would be fine with disallowing the removal of an already-installed
schema completely, if nobody else misses it. (This would ensure
consistency with ACLs etc.) But I'm not sure what Debian policy has to
say about that.

Ciao,
Philipp


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 08-26-2008, 12:51 PM
Andreas Hasenack
 
Default slapd with cn=config - some suggestions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mathias Gug wrote:
> Using slapadd is only safe when the slapd daemon is not running. This
> use case is only found when the slapd package is being upgraded. So
> supporting schema addition while slapd is running (via ldapadd) is
> important. As for authentication, prompting for the administrator
> credentials (dn & password) is the best option IMO.

What about using ldapi:// + sasl external and mapping that to the root or admin dn?

Something like:
authz-regexp "gidNumber=0+uidNumber=0,cn=peercred,cn=external,c n=auth"
"uid=Account Admin,ou=System Accounts,@SUFFIX@"


Just a thought.


- --
Andreas Hasenack
andreas@canonical.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIs/w6eEJZs/PdwpARAiCJAKCjHUY0rF00zNArXoJG5MEERwWiOgCfXRcb
RoSTSL3Y28Kc7S/Ki3VMbcw=
=bBJl
-----END PGP SIGNATURE-----

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 06:58 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org