[Pkg-openldap-devel] Adding schemas and ACL's to slapd.conf

[Russ Allbery]

Soren Hansen <soren at ubuntu.com> writes:

> b) I really think the most common case is that if you're installing
> something that has its own schemas (samba, for instance), you want your
> LDAP server to know about them.

This may very well be the case, but I think there are major examples where
it isn't.  It's certainly the wrong behavior for all of my directory
servers, for instance.  On the other hand, I suppose that I can just not
include schemas.conf, when schemas.conf is defined to include all the
current schemas that are installed.  So I think I'm becoming convinced.

> This corresponds completely to web applications automatically adding
> stuff to /etc/apache2/conf.d.

I hate this behavior, and I've not been so unfortunate as to run into a
web application package that does this.  It's almost always completely
broken in the presence of virtual hosts.  All the web applications I use
document the necessary configuration in README.Debian.

However, your approach is nicer than this, since you're using a separate
config file rather than something that's always read by Apache unless you
take over the root config file (which for Apache isn't a good option).

> What is the canonical example of a package that provides a schema that
> you'd not want to have installed?

Samba comes to mind, although in that case maybe it would work to break
the schema out into a separate package (there was some discussion of this
at Debconf as well, but I don't remember it as completely).  Also, there
has been a lot of discussion of a separate openldap-schemas package that
provides a variety of common schemas, and obviously not all of those
should be enabled.

> This is precisely the reason I don't implement it during upgrades, but
> just refer to README.Debian.  On new installations (or installation
> converted to use "my" acl.conf and schemas.conf), package maintainer
> would have go out of their way to *not* respect local changes, since
> debhelper and dpkg should make sure that removed symlinks in
> /etc/ldap/schemas-enabled and files in /etc/ldap/acl.d are *not*
> installed on upgrades.

I thought that didn't always work in edge cases with symlinks.  There was
a bunch of discussion about that a while back.

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=421344

I'm not sure if symlinks in /etc get marked as conffiles; I'd have to do
some experimentation.

> I still think the idea of running the script from the init scripts is
> the optimal solution. All it ever touches are the new acl.conf and
> schemas.conf which clearly say "THIS IS AUTOGENERATED" or something to
> that effect, so no local changes should be overwritten by surprise.

Ah, yes, okay.  I think I'm starting to get it now.  And people who don't
want that behavior can just not include those files.

> What I set out to do was to provide a for packages to add schemas to the
> ldap server in a safe way, and I belive the result is just what section
> 10.7.4 of Debian Policy suggests. I think it's completely reasonable for
> a packaged to want to add a schema to the ldap server, and I also find
> it completely reasonable to allow it do to so without forcing the admin
> to fiddle with slapd.conf and manually run a script from time to time.
> If an admin really doesn't want this functionality, it's really easy to
> stop using it (just remove the "include /etc/ldap/schemas.conf" and
> insert only the includes he really wants).

> What is the canonical way to add schemas to the ldap server now?

There isn't one.  It's certainly a problem that needs to be fixed; no
question on that.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>