[Pkg-openldap-devel] Is there a better way to handle Kerberos ldap configuration

Sam Hartman hartmans at debian.org
Tue Jul 17 01:08:41 BST 2018 

>>>>> "Ryan" == Ryan Tandy <ryan at nardis.ca> writes:

    Ryan> Hi Sam,
    Ryan> On Mon, Jul 16, 2018 at 05:02:34PM -0400, Sam Hartman wrote:
    >> Mostly for the slapd maintainer.  Currently krb5-kdc-ldap ships
    >> an OpenLDAP schema file for the Kerberos schema.  I just noticed
    >> that we don't ship the ldif file for the newer format slapd
    >> config and will be fixing that in my next upload.

    Ryan> Great, thanks!

    >> Currently in order to take advantage of either, the administrator
    >> needs to grab the schema or ldif out of
    >> /usr/share/doc/krb5-kdc-ldap and manually process it.

    Ryan> Yes.

    >> Is there some way we could do better than this?  How do we handle
    >> optional schemas in Debian?  If we don't have a better way, would
    >> you consider a patch to support the Kerberos schema in the Debian
    >> slapd package?

    Ryan> What do you mean by "support"? I would be reluctant to add new
    Ryan> schemas in an automated way - this should be an explicit
    Ryan> action by the administrator. Our default configuration just
    Ryan> includes the few most widely used schemas.

So, I agree administrator action should be required.
However, especially with the schema managed over the ldap protocol, I
find the process of updating a schema moderately tedious.
Mostly I'm wondering if you have considered helping the administrator
out by having a simple command they can run to enable a schema once they
have decided to do so.

    Ryan> A couple of thoughts on the rest of the bug:

    Ryan> Schemas are best considered as static data, rather than
    Ryan> user-editable configuration. From this perspective, /usr is
    Ryan> the right place for them.  (In fact, we have a long-term
    Ryan> wishlist item of moving the default schemas away from /etc,
    Ryan> too.)

Agreed.

    Ryan> Shipping your schema uncompressed would be one way to reduce
    Ryan> friction for slapd administrators but of course has a cost in
    Ryan> disk space. I do think shipping the .ldif in addition to the
    Ryan> .schema will already be a major usability improvement, so
    Ryan> thanks for doing that!

O definitely; it was a bug we weren't doing so.  I noticed we were
shipping an ldif, but forgot it was the Novell Edirectory format not the
OpenLDAP format.

More information about the Pkg-openldap-devel mailing list