[Pkg-openldap-devel] Can a package modify slapd.conf in its maintainer script?

P. Kaluza pk+debs at yomu.de
Tue Aug 26 00:17:04 UTC 2008

Hi Alessandro, hi everybody,

Alessandro De Zorzi wrote:
> Hello there,
> I am new in this list. I would to know more about:
> "Can a package modify slapd.conf in its maintainer script?".
> [...]
> Is this solution possible in this scenario or not?
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494155
> Could slapd package provide a tool to edit slapd.conf?
You have already stumbled upon the ldap-schema-common package i'm 
building currently.
This was born out of a discussion at last year's DebConf, that shipping 
schema files within the daemon packages is not all that practical (as 
they often end up on different servers or vservers), and that we should 
ship more "commonly wanted" schemas¹ in an extra package.

The second task, that followed from this, is to register only the 
_wanted_ schemas with the LDAP daemon.
I agree with Russ that we should only install schemas the admin 
explicitly asked for.

In your bugreport you propose a "schema drop" directory in two variants. 
(simple drop directory and schema-{available,enabled} symlink farm.)
While theoretically slapd could even be patched to automatically pick up 
all schemas in a certain dir, the obvious and sometimes rather subtle 
interactions between schema files and existing databases require IMHO a 
more sophisticated approach. (E.g. you cannot slapadd database dumps 
referencing unknown schemas.)

Think a2enmod / a2dismod.
The script update-ldap-schema I propose would track which schemas the 
administrator explicitly requested, keep them around even if the package 
holding then gets deinstalled, and maybe even do something smart when 
new versions of a known schema come along. (Which they unfortunately do, 

The script can also migrate the information "which schemas are we using" 
over to a back-config setup, but I guess this is handled by the 
migration logic anyhow.

> I know back-config could be a good solution that do not
> require slapd.conf and schema files... but if in this time Lenny
> default installation provides a legacy configuration with slapd.conf
> packages that provide own schema need to enable they automatically ?
I also think that back-config won't land in time for lenny, although I 
would have liked to see it.

The other point you implicitly raised is also an important one: what 
changes in general can other packages make to slapd's configuration ? 
add ACLs ? add their own databases ?
However, this is a very broad discussion, so I think it makes sense to 
delay it until after back-config has been rolled out.

So, on to something concrete:
Thank you for your offer for testing the ldap-schema-common package. 
Could you check it out with your use cases in mind and tell me if the 
update-ldap-schema tool fits them, what else it should do, etc.
What other schemas should it include ?
Basically I'm looking for any kind of feedback.

And to the slapd maintainers:
has anybody had time to give the package a quick look-over ?
Also, was there an LDAP meeting on DebConf again ?
If so, with what results ?

Thanks all, keep up the good work !
  Philipp Kaluza

¹ I skipped over this topic in my last mail, but... is there any 
preference on the correct plural for "schema" in the context of LDAP ? 
Google fight ? :)

More information about the Pkg-openldap-devel mailing list