[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: knowing which schema(s) to use
- To: Turbo Fredriksson <turbo@bayour.com>
- Subject: Re: knowing which schema(s) to use
- From: Prentice Bisbal <pbisbal@pppl.gov>
- Date: Wed, 17 May 2017 15:51:23 -0400
- Cc: openldap-technical@openldap.org
- Content-language: en-US
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pppl-gov.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=5E8PvaGW5B5hxFRq9VYTjBHr3F8I3tacs3ZRcrrhmos=; b=kg3QmkbA7v87cRxKcMlQyf8Nu9G0Ibo30cwP2dvHiZ/GLOrwlFcLIcP4S40vYrKKq7 tG51pnEYaDWyJCwlgrASrAIWGCr/V7Rv8eDol10HO8JmXh3Hv3OiXYbf8ahWzPFPj/ou c4GzvJoR7h0tz62zziTFozSzuZ+xO2ovCTqz2WgFrJuUDg3I/9j6zERMcLtk/QVmyT9m YvVlaGCh65zLNxN3p3DTJCfzojzUwFoCWmT2yeT8bqp61W/lkjCR0UsNd3P+ngVhHWB+ 9kNNQ+4Qiv6fFpeyrA6HeztfRCFvn4KCb6+HnNPqA2IAiWEK/WrdK3AiG9Vi3FKCvPF9 ljJA==
- In-reply-to: <A256BA6F-6E97-468D-8478-DE206875E7D4@bayour.com>
- References: <2c2e846e-086d-d8a2-a110-18d9e92c5c9c@pppl.gov> <A256BA6F-6E97-468D-8478-DE206875E7D4@bayour.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0
On 05/17/2017 05:03 AM, Turbo Fredriksson wrote:
On 16 May 2017, at 20:23, Prentice Bisbal <pbisbal@pppl.gov> wrote:
I think many system admins would say just copy the schemas from the old server to the new server and forget about it, but I don't think this is a good approach.
That’s what I do. I agree, on a theoretical level, that that might not be the best
way to do it, but it sure is the simplest :). I have way to much to do anyway, so
if I can take the easy way for once, I’ll take it.
The way I look at it, it's better to address this problem head-on and
fix it now (if it in fact needs fixing), than wait until my schemas are
so old that when I upgrade my directory clients something breaks
because my schemas are old and obsolete that they're no longer
compatible with the client applications like SSSD, etc. In that
scenario, I see bosses and users screaming at me, asking why the upgrade
lead to problems...
Although to be honest, I don't think schemas really change very often.
As far as other applications using LDAP and any attribute in there, they are (should
be!) configurable. For example, LibNSS-LDAP and LibPAM-LDAP all let you configure
what attributes to use for what..
Very true, but I'd rather fix the schema in one place, rather than fix
all my applications, which could have config files with various syntaxes
all over /etc.
I’m sure there’s a reason for changing 'krbPrincipal' to ‘krbPrincipalAux’,
but personally I don’t care. The former works for me.
I think Ryan Tandy nailed it - one's for Heimdal Kerberos, the other is
for MIT kerberos. I need to dig into this further to confirm for myself,
though,
2. Who/what is the authoritative source for current schema definitions? Are they all defined in RFCs?
Probably not all. MINE isn’t. But I do have a registered IANA, so from the schemas
attribute or objectless OID, it should be “reasonably” easy to match the two and find
out who wrote it and from there you might be able to get a later version.