[Pkg-openldap-devel] Adding schemas and ACL's to slapd.conf

Russ Allbery rra at debian.org
Sun Jul 29 17:34:36 UTC 2007 

Soren Hansen <soren at ubuntu.com> writes:
> On Sun, Jul 29, 2007 at 09:57:31AM -0700, Russ Allbery wrote:

>> If we can include directories, though, I think that would be cleaner than
>> requiring people to run a command to regenerate their slapd.conf.

> Well, "people" are limited to package maintainers, so I don't think it's
> that bad. They will have to make changes to support this anyway, so
> requiring it won't force any extra work on anyone who's not changing
> something anyway.

Well, it's not quite that simple, since ideally people would be able to
manage their slapd.conf the same way that they manage their Apache 2.x
configuration.  For example, if there was a schema-available setup, I'd
want to use that to manage our local schema at Stanford as well as ones
provided by other Debian packages (and we change them semi-regularly and
manage them through Puppet rather than a Debian package).

I'm also a little nervous about having packages run scripts that modify
the slapd.conf.  It's entirely possible that people will want packages
installed that provide schemas, but won't want to enable those schemas on
the LDAP server on the same box, for example.  Plus, we have to be very
careful to ensure that the script doesn't fiddle with local changes.  Of
course, that's mostly resolved by having the sysadmin run the scripts
themselves rather than having packages run them, but it's minorly awkward.

My personal take on this is that I'm happy to ship the scripts (that seems
harmless), but I'm nervous about running them by default as opposed to
explaining in README.Debian or the like how the schema system works, how
to enable additional schemas, and how other packages should provide
additional schemas and leaving it to the sysadmin to take the final step.
I know from Debconf discussions that that doesn't really fit the goals of
(for example) Debian Edu, though.

I have a very limited amount of time to spend on the OpenLDAP packages,
though, and I'm happy to defer to someone else who has more time and wants
to work through the issues and develop a good scheme.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

More information about the Pkg-openldap-devel mailing list