Re: Advice for distributing schemas for OpenLDAP

[Howard Chu <hyc@symas.com>]

ghudson@mit.edu wrote:
> MIT krb5 has an LDAP back end for its KDC, which uses its own schema.
> Currently, we distribute just a .schema file for OpenLDAP, which isn't
> very friendly to a DS using back-config and slapd.d.  I have some
> questions about how we might do better.
> 
> 1. For initial installs, I take it we should distribute a .ldif file
> which can be loaded with ldapadd.  If we continue to use our .schema
> file as the master source file for the time being, then I assume we'll
> want to convert that to the .ldif file using slaptest.

You could just convert them manually, as documented in the openldap.ldif file.

> If we do that,
> should we remove the {n} prefix from the cn of the converted output,
> along with the metadata entries at the end, to match the style of the
> .ldif files in servers/slapd/schema?

Yes. As the Admin Guide and slapd-config(5) manpage already state, prefixes
are generated automatically. You should not set them yourself on newly added data.

> 2. If someone is upgrading to a version of krb5 which has new stuff
> added to the schema, how should we facilitate that upgrade?  I don't
> think the .ldif file mentioned above would be of much use, since
> ldapadd will refuse to change an existing entry and ldapmodify wants
> to see change records.

Put the additions into a new schema file/object. It's against standard
practices to modify published schema.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/