[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Advice for distributing schemas for OpenLDAP
ghudson@mit.edu wrote:
> MIT krb5 has an LDAP back end for its KDC, which uses its own schema.
> Currently, we distribute just a .schema file for OpenLDAP, which isn't
> very friendly to a DS using back-config and slapd.d. I have some
> questions about how we might do better.
>
> 1. For initial installs, I take it we should distribute a .ldif file
> which can be loaded with ldapadd. If we continue to use our .schema
> file as the master source file for the time being, then I assume we'll
> want to convert that to the .ldif file using slaptest.
You could just convert them manually, as documented in the openldap.ldif file.
> If we do that,
> should we remove the {n} prefix from the cn of the converted output,
> along with the metadata entries at the end, to match the style of the
> .ldif files in servers/slapd/schema?
Yes. As the Admin Guide and slapd-config(5) manpage already state, prefixes
are generated automatically. You should not set them yourself on newly added data.
> 2. If someone is upgrading to a version of krb5 which has new stuff
> added to the schema, how should we facilitate that upgrade? I don't
> think the .ldif file mentioned above would be of much use, since
> ldapadd will refuse to change an existing entry and ldapmodify wants
> to see change records.
Put the additions into a new schema file/object. It's against standard
practices to modify published schema.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/