[Pkg-openldap-devel] Adding schemas and ACL's to slapd.conf

Soren Hansen soren at ubuntu.com
Sun Jul 29 17:53:13 UTC 2007 

On Sun, Jul 29, 2007 at 10:34:36AM -0700, Russ Allbery wrote:
> >> If we can include directories, though, I think that would be
> >> cleaner than requiring people to run a command to regenerate their
> >> slapd.conf.
> > Well, "people" are limited to package maintainers, so I don't think
> > it's that bad. They will have to make changes to support this
> > anyway, so requiring it won't force any extra work on anyone who's
> > not changing something anyway.
> Well, it's not quite that simple, since ideally people would be able
> to manage their slapd.conf the same way that they manage their Apache
> 2.x configuration.

Ah, yes, I'm not quite used to people making their own schemas, but
rather just use the ones from various packages.

> For example, if there was a schema-available setup, I'd want to use
> that to manage our local schema at Stanford as well as ones provided
> by other Debian packages (and we change them semi-regularly and manage
> them through Puppet rather than a Debian package).

What if you could just put your local schemas under /usr/local somewhere
(or in /etc/ if you prefer) and symlink to them from
/etc/schemas-enabled. What I'm proposing is precisely like Apache's
sites-{enabled,available}, only the -available directory is just called
/etc/ldap/schema.

> I'm also a little nervous about having packages run scripts that
> modify the slapd.conf.  It's entirely possible that people will want
> packages installed that provide schemas, but won't want to enable
> those schemas on the LDAP server on the same box, for example.

a) As far as I know, there's currently no other mechanism for a package
to add a schema to slapd, and this is something I think is really
missing.

b) I really think the most common case is that if you're installing
something that has its own schemas (samba, for instance), you want your
LDAP server to know about them. This corresponds completely to web
applications automatically adding stuff to /etc/apache2/conf.d. If you
don't want a particular schema installed, you remove the symlink and
dpkg will make sure it's not installed again.

What is the canonical example of a package that provides a schema that
you'd not want to have installed?

> Plus, we have to be very careful to ensure that the script doesn't
> fiddle with local changes.

This is precisely the reason I don't implement it during upgrades, but
just refer to README.Debian.  On new installations (or installation
converted to use "my" acl.conf and schemas.conf), package maintainer
would have go out of their way to *not* respect local changes, since
debhelper and dpkg should make sure that removed symlinks in
/etc/ldap/schemas-enabled and files in /etc/ldap/acl.d are *not*
installed on upgrades.

> Of course, that's mostly resolved by having the sysadmin run the
> scripts themselves rather than having packages run them, but it's
> minorly awkward.

I still think the idea of running the script from the init scripts is
the optimal solution. All it ever touches are the new acl.conf and
schemas.conf which clearly say "THIS IS AUTOGENERATED" or something to
that effect, so no local changes should be overwritten by surprise.

> My personal take on this is that I'm happy to ship the scripts (that
> seems harmless), but I'm nervous about running them by default as
> opposed to explaining in README.Debian or the like how the schema
> system works, how to enable additional schemas, and how other packages
> should provide additional schemas and leaving it to the sysadmin to
> take the final step.

What I set out to do was to provide a for packages to add schemas to the
ldap server in a safe way, and I belive the result is just what section
10.7.4 of Debian Policy suggests. I think it's completely reasonable for
a packaged to want to add a schema to the ldap server, and I also find
it completely reasonable to allow it do to so without forcing the admin
to fiddle with slapd.conf and manually run a script from time to time.
If an admin really doesn't want this functionality, it's really easy to
stop using it (just remove the "include /etc/ldap/schemas.conf" and
insert only the includes he really wants).

What is the canonical way to add schemas to the ldap server now?

-- 
Soren Hansen
Ubuntu Server Team
http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20070729/6b2c021b/attachment.pgp

More information about the Pkg-openldap-devel mailing list