[Pkg-openldap-devel] Bug#829749: Is there a better way to handle Kerberos ldap configuration
Ryan Tandy
ryan at nardis.ca
Tue Jul 17 02:47:27 BST 2018
On Mon, Jul 16, 2018 at 08:08:41PM -0400, Sam Hartman wrote:
> Ryan> What do you mean by "support"? I would be reluctant to add new
> Ryan> schemas in an automated way - this should be an explicit
> Ryan> action by the administrator. Our default configuration just
> Ryan> includes the few most widely used schemas.
>
>So, I agree administrator action should be required.
>However, especially with the schema managed over the ldap protocol, I
>find the process of updating a schema moderately tedious.
>Mostly I'm wondering if you have considered helping the administrator
>out by having a simple command they can run to enable a schema once they
>have decided to do so.
I had not, actually. Assuming our default slapd configuration, adding a
schema is just:
ldapadd -H ldapi:// -Y EXTERNAL -f /path/to/schema.ldif
Is that the command you suggest could be automated, or is there more to
your process than that? I appreciate your feedback and will definitely
consider it - just want to make sure I've understood you correctly.
My only issue with a wrapper script (or such) is that authenticating to
the config DB with SASL EXTERNAL is merely a default, not something we
can assume in general... I don't know how commonly users change that
default, but I know it does happen.
Ryan
More information about the Pkg-openldap-devel
mailing list