[Pkg-openldap-devel] Is there a better way to handle Kerberos ldap configuration

[Ryan Tandy]

Hi Sam,

On Mon, Jul 16, 2018 at 05:02:34PM -0400, Sam Hartman wrote:
>Mostly for the slapd maintainer.
>Currently krb5-kdc-ldap ships an OpenLDAP schema file for the Kerberos
>schema.
>I just noticed that we don't ship the ldif file for the newer format
>slapd config and will be fixing that in my next upload.

Great, thanks!

>Currently in order to take advantage of either, the administrator needs
>to grab the schema or ldif out of /usr/share/doc/krb5-kdc-ldap and
>manually process it.

Yes.

>Is there some way we could do better than this?  How do we handle
>optional schemas in Debian?  If we don't have a better way, would you
>consider a patch to support the Kerberos schema in the Debian slapd
>package?

What do you mean by "support"? I would be reluctant to add new schemas 
in an automated way - this should be an explicit action by the 
administrator. Our default configuration just includes the few most 
widely used schemas.

A couple of thoughts on the rest of the bug:

Schemas are best considered as static data, rather than user-editable 
configuration. From this perspective, /usr is the right place for them.  
(In fact, we have a long-term wishlist item of moving the default 
schemas away from /etc, too.)

Shipping your schema uncompressed would be one way to reduce friction 
for slapd administrators but of course has a cost in disk space. I do 
think shipping the .ldif in addition to the .schema will already be a 
major usability improvement, so thanks for doing that!

Ryan