[Pkg-openldap-devel] RFC: seperate schema package

Thu Aug 7 01:49:50 UTC 2008

Hello openldap packaging heroes !

Russ' recent quest for openldap help on -release reminded me of an 
action item we came up with on the LDAP packaging BoF on last year's 
DebConf. We left this in a kinda-assigned-to-me state, but it slipped 
from my radar nonetheless, for which I apologize.

The idea was to create an additional source package that would ship a 
number of additional LDAP schemata and could be installed on the 
slapd-running host (as opposed to the current situation where client 
packages usually install them on the wrong box).

This package, named ldap-schema-common, is still a work in progress, but 
since another DebConf is approaching fast (which I'm unfortunately 
unable to attend this year), I wanted to post an update before.
The current state can be found at 
http://playground.yomu.de/debian/pool/main/l/ldap-schema-common/ .

The package is structured as follows:
a) The package ships with a number of common schemata (currently only 
three, but more to be added as I review more copyrights). They are 
treated as immutable, so consequently are not conffiles. Other packages 
could also dump even more schemata into a /usr/share directory and let 
ldap-schema-common worry about the management.
b) The admin has to explicitly enable a schema after installing it. 
(This is because once a schema is actually in use, the process of 
removing it is complicated.) To activate the schema, the admin calls e.g.
       update-ldap-schema --enable samba
   The script tracks which schemata are enabled on a system.¹
c) The script calls a backend to install the schema into the LDAP server:
c1) a backend for slapd.conf style setups, which generates a includeable 
"slapd-schema.conf" file²,³ or
c2) a backend for slapd.d / cn=config style setups, which converts the 
schema to LDIF and does a slapadd
    These backends are part of the update-ldap-schema script. I envision 
more backends for samba's ldb and possibly FDS, should that ever get 
packaged. If the number of packaged LDAP servers ever reaches 5, we 
could factor out the backends into proper hook scripts.

I hope this is not over-engineered, but I wanted to future-proof our 
fragile schema handling somewhat.

¹ This should maybe get a nice debconf interface.
² This overlaps somewhat with what Soren Hansen proposed last summer, 
but which I only found about recently since it never got shipped.
³ The script could also update parts of slapd.conf, update-grub style. I 
was reluctant to do this however as it's the slapd package's conffile.

What works
----------
- enabling schema for slapd.conf
- enabling schema for cn=config
- disabling schema for slapd.conf

What breaks horribly
------------------
- disabling schema if dependant schema or ACL still references it 
(obviously)
  -> should maybe add dependency handling
- disabling schema for cn=config if it's not the last one
  - slapd segfaults if the cn={#}abc ordering skips a number

The update-ldap-schema script as it stands and my TODO list are attached 
for your convenience. The schemata currently shipped are samba.schema 
and evolutionperson.schema.

I am now looking for feedback on:
- other schemata to ship, preferrably with pointers to license information
- the overall design of update-ldap-schema
- specific hints how to interact better with slapd etc.
- ideas on schema removal
- musings on the feasability of automatic schema upgrades

Thank you guys in advance.

To those going to DebConf, I wish you a great conference and hope to 
meet you again next year.

Bye,
  Philipp

PS: I'm glad to see you're working to make cn=config the default - this 
has made my life quite easier since its introduction.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: update-ldap-schema
Url: http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20080807/1c775126/attachment.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: TODO
Url: http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20080807/1c775126/attachment-0001.txt 