Hi Sam,
On Mon, Jul 16, 2018 at 05:02:34PM -0400, Sam Hartman wrote:
Mostly for the slapd maintainer.
Currently krb5-kdc-ldap ships an OpenLDAP schema file for the Kerberos
schema.
I just noticed that we don't ship the ldif file for the newer format
slapd config and will be fixing that in my next upload.
Great, thanks!
Currently in order to take advantage of either, the administrator needs
to grab the schema or ldif out of /usr/share/doc/krb5-kdc-ldap and
manually process it.
Yes.
Is there some way we could do better than this? How do we handle
optional schemas in Debian? If we don't have a better way, would you
consider a patch to support the Kerberos schema in the Debian slapd
package?
What do you mean by "support"? I would be reluctant to add new schemas
in an automated way - this should be an explicit action by the
administrator. Our default configuration just includes the few most
widely used schemas.
A couple of thoughts on the rest of the bug:
Schemas are best considered as static data, rather than user-editable
configuration. From this perspective, /usr is the right place for them.
(In fact, we have a long-term wishlist item of moving the default
schemas away from /etc, too.)
Shipping your schema uncompressed would be one way to reduce friction
for slapd administrators but of course has a cost in disk space. I do
think shipping the .ldif in addition to the .schema will already be a
major usability improvement, so thanks for doing that!
Ryan
