>>>>> "Ryan" == Ryan Tandy <r...@nardis.ca> writes:
Ryan> Hi Sam, Ryan> On Mon, Jul 16, 2018 at 05:02:34PM -0400, Sam Hartman wrote: >> Mostly for the slapd maintainer. Currently krb5-kdc-ldap ships >> an OpenLDAP schema file for the Kerberos schema. I just noticed >> that we don't ship the ldif file for the newer format slapd >> config and will be fixing that in my next upload. Ryan> Great, thanks! >> Currently in order to take advantage of either, the administrator >> needs to grab the schema or ldif out of >> /usr/share/doc/krb5-kdc-ldap and manually process it. Ryan> Yes. >> Is there some way we could do better than this? How do we handle >> optional schemas in Debian? If we don't have a better way, would >> you consider a patch to support the Kerberos schema in the Debian >> slapd package? Ryan> What do you mean by "support"? I would be reluctant to add new Ryan> schemas in an automated way - this should be an explicit Ryan> action by the administrator. Our default configuration just Ryan> includes the few most widely used schemas. So, I agree administrator action should be required. However, especially with the schema managed over the ldap protocol, I find the process of updating a schema moderately tedious. Mostly I'm wondering if you have considered helping the administrator out by having a simple command they can run to enable a schema once they have decided to do so. Ryan> A couple of thoughts on the rest of the bug: Ryan> Schemas are best considered as static data, rather than Ryan> user-editable configuration. From this perspective, /usr is Ryan> the right place for them. (In fact, we have a long-term Ryan> wishlist item of moving the default schemas away from /etc, Ryan> too.) Agreed. Ryan> Shipping your schema uncompressed would be one way to reduce Ryan> friction for slapd administrators but of course has a cost in Ryan> disk space. I do think shipping the .ldif in addition to the Ryan> .schema will already be a major usability improvement, so Ryan> thanks for doing that! O definitely; it was a bug we weren't doing so. I noticed we were shipping an ldif, but forgot it was the Novell Edirectory format not the OpenLDAP format.