[Pkg-openldap-devel] Adding schemas and ACL's to slapd.conf

[Russ Allbery]

Soren Hansen <soren at ubuntu.com> writes:

> I'm an a situation where I need to add ACL's and schemas to slapd.conf,
> and I can imagine others must have faced similar needs. Debian Policy
> tells me not to touch the config file directly, so I propose the
> attached patch. Summary:

Yeah, we talked about this a bit at Debconf as well.  I think the general
consensus at the time was to include a directory of schema files and use
an -available / -enabled structure similar to the Apache 2.x packages.

>  * It adds two new directories to /etc/ldap
>    - /etc/ldap/acl.d
>      This will contain the "access" snippets from slapd.conf. The
>      default ones are added as 110restrict_password.acl,
>      120base_read.acl, and 900default.acl.
>    - /etc/ldap/schemas-enabled
>      This will contain symlinks to the schemas that need to be included.
>   * It adds update-slapd-acl and update-slapd-schemas.
>    - update-slapd-acl generates /etc/ldap/acl.conf containing a header
>      and a list of "include" statements corresponding to the files in
>      /etc/ldap/acl.d.
>    - update-slapd-schemas generates /etc/ldap/schemas.conf containing a
>      header and a list of "include" statements corresponding to the
>      symlinks in /etc/ldap/schemas-enabled.

Doesn't slapd.conf support including directories, thereby including all
files in the directory?  Although I suppose that would require making the
same modifications that the Apache folks did to ignore files ending in
.dpkg-* so that the configuration file backups and new copies created by
dpkg aren't included.

If we can include directories, though, I think that would be cleaner than
requiring people to run a command to regenerate their slapd.conf.

back-config will obviously make this much better, but I don't think it's
fully ready until 2.4 (although Quanah can correct me certainly if I'm
wrong).

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>