[Pkg-openldap-devel] Hacking slapd conffiles to fix an RC bug in kolabd (Was: Bug#596280: unblock: kolabd/2.2.4-20100624-2)

[Quanah Gibson-Mount]

--On Monday, September 13, 2010 9:25 AM +0200 "Mathieu Parent (Debian)" 
<sathieu at debian.org> wrote:

> Hi,
>
> On Mon, Sep 13, 2010 at 4:24 AM, Steve Langasek <vorlon at debian.org> wrote:
> ...
>>> Note that kolabd for Wheezy will manage cn=config natively (most
>>> probably by creating slapd.conf and using slaptest; but perhaps by
>>> directly issuing ldap commands).
>>
>> Is there any reason this (slapd.conf + slaptest) couldn't be used as the
>> workaround in squeeze?  That still doesn't sound great to me given that
>> it would overwrite any previously present cn=config settings, but it
>> seems to be the existing practice that kolabd will overwrite slapd
>> configs, so it should at least do so in the preferred location; and
>> getting this right shouldn't be any harder than the policy-violating
>> conffile overwrite.
>
> OK. Let's go for this path. I will upload a new kolabd that revert the
> hack and upload a new libkolab-perl package which run slaptest after
> changing any openldap config (this is where this fix belongs).
>
> For the long term, how can we be sure to have write access to
> cn=config? Couldn't slapd package provide a tool to query cn=config
> (like ldapconfigsearch) which uses ldapsearch with proper credentials
> if slapd is running and uses something else when slapd is stopped.
> Similary, provide an ldapconfigmodify. Also providing ldapschemaadd,
> ldapschemaremove, ... can ease the integration from other packages.

I think you're looking for slapmodify, a tool I specifically requested be 
written a while back.  It exists currently in OpenLDAP HEAD.  It allows the 
offline modification of cn=config.

See ITS#6165.

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration