[CCing pkg-openldap-devel to keep all discussion in one place - sorry should have done this sooner.]
Hi Mathias, Mathias Gug wrote: >> The script currently loads schemas into cn=config setups via slapadd, >> doing this via an LDAP connection is planned for the future if I can >> come up with a good infrastructure to authenticate this kind of connection. >> > Using slapadd is only safe when the slapd daemon is not running. thats why I stop slapd before the installation and restart it directly after. > So > supporting schema addition while slapd is running (via ldapadd) is > important. As for authentication, prompting for the administrator > credentials (dn & password) is the best option IMO. > The question would be if it's OK to cache these somewhere - I would hate to ask that question repeatedly during one apt run. Though this would only be a problem if other packages rely on the update-ldap-schema script to install their schemas. So i guess I shouldn't worry about it ATM. (Maybe at a later point in time, the admin will have kerberos credentials anyhow.) Doing this online would have another advantage: it becomes easier to do schema updates (adding attributes, changing objectclasses) while keeping the cn=config tree consistent. But, on the other hand, it becomes completely impossible to remove schemas, even at explicit administrator request. Then again, the current implementation of offline removal is pretty flaky anyhow. So I guess I need to collect some more opinions on "best practices". I would be fine with disallowing the removal of an already-installed schema completely, if nobody else misses it. (This would ensure consistency with ACLs etc.) But I'm not sure what Debian policy has to say about that. Ciao, Philipp -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
