[Pkg-openldap-devel] Automate access to cn=config from package maintainer scripts

[Mathias Gug]

Hi,

Building on the work done to migrate to cn=config I've started to
extract some common functionalities from slapd.scripts-common into a
separate script (slapd-cfg). I'd like to get your input on the proposal.

Here are two use cases:

* Provide a package that creates a new slapd database using
  back_ldap+pcache+nss_overlay.

* Create a package that creates a new slapd database using back_hdb and
  loads a set of modules, schemas and DIT.

All of that without prompting for a password to access the local slapd
daemon at installation time.

Design Overview:

* use Authz module to map the local root user (authenticated via
  SLAPI+peercred SASL) to a defined user (cn=localroot,cn=config) and
  grant complete access to this user to the cn=config tree.

* extract common functionalities from slapd.scripts-common into a
  separate script that can be called by any maintainer scripts.

Implementation:

I've written a proof of concept available on launchpad [1]. As mentioned
in the README file:

[1]: https://code.launchpad.net/~mathiaz/+junk/slapd-scripts-upstream

slapd-scripts is a python module and a CLI to perform standard
operations on slapd using cn=config:

 * initialize a slapd configuration
 * load a schema
 * load a module
 * load an ldif file

It uses either the slap* command (offline mode - when slapd is not
running) or python-ldap (online mode - when slapd is running) to modify
the configuration of slapd.

Implementation of both use case mentioned above are located in the
examples/ directory from the branch above. Let me know what you think
about it.

Thank you,

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20090730/0ad8263c/attachment.pgp>