OpenLDAP-DIT
Launchpad Entry: server-maverick-openldap-dit
Created: Adam Sommer
Contributors:
Packages affected: slapd, openldap-dit
Summary
Provide a method to create a basic level DIT for OpenLDAP. The openldap-dit project currently has a script that provides a very extensive DIT. This spec will cover using either the openldap-dit package or a version of it to provide a basic DIT for OpenLDAP.
Release Note
TBD
Rationale
The slapd package no longer has the ability to create a basic level Directory Information Tree, which is a burden for users not very familiar with OpenLDAP. This can also be seen as a regression from previous versions of the package.
The current slapd package is not very useful for a substantial amount of users because it does not provide a basic level DIT.
User stories
From bug 442498:
The lack of a simple way of setting up a working basic ldap-service is a serious problem. I've basically resigned to either using a really old package that's not broken in this way or just forgetting about ldap in ubuntu. What's the reasoning behind upgrading a package from "too old" to "unusable" ?
Also from Derek Simkowiak:
In my opionion, the new (useless) slapd package should not have shipped until the accompanying slapd-dit was ready. It basically broke LDAP for everyone but experts, and now Mathias doesn't have time to fix it. Mathias, can you make slapd-dit a priority? It's been several months since a usable slapd has been available for Ubuntu.
Assumptions
The openldap-dit-setup.sh can be modified to provide only a base level DIT.
Design
- Create a opneldap-dit-core package that will create a very basic DIT.
- Create openldap-dit-$service packages for adding modules, schemas, acls, etc for additional services.
- openldap-dit-userandgroups
- openldap-dit-replication
- openldap-dit-samba
- openldap-dit-mit-kerberos
- openldap-dit-sudo
- openldap-dit-postfix
- openldap-dit-dns
- openldap-dit-dhcp
- openldap-dit-autofs
- Use standard directory structure and file names for the needed LDIF files to allow easy addition of new services.
Implementation
Get the openldap-dit-split branch, or a version of it, merged into the openldap-dit trunk branch.
Create a directory for each service containing $service-dit.ldif, $service-modules.ldif, $service-acls.ldif, etc.
- Migrate the openldap-dit.sh script to a postinst script.
- Use debconf to prompt the user for domain and admin password information in the openldap-dit-core package.
- postinst should check the current DIT before adding additional modules, acls, etc.
UI Changes
- openldap-dit-setup.sh will be integrated into various openldap-dit-$service package's postinst scripts.
- Maybe a new script will be able to setup syncing in a few quick commands.
Code Changes
- Migrate openldap-dit-setup.sh to package postinst.
Migration
Test/Demo Plan
- Install slapd and ldap-utils packages.
- Install the openldap-dit package.
- Execute the /usr/share/slapd/openldap-dit/openldap-dit-setup.sh script.
- Upon successful completion of the script a basic DIT should be created.
- View the Directory with: ldapsearch -xLLL -b $suffix
- $suffix will be determined by the hosts domain name, or manually entered by the user.
Unresolved issues
BoF agenda and discussion
- Discuss direction of openldap-dit project.
- Propose to modularize openldap-dit-setup.sh. - Approved
- Determine what objects are needed for base level DIT. - Did some, but may need more discussion or clarification.
- Is there ways to integrate DIT creation/management with puppet? - probably don't need since it will be postinst.
- Design the tool like quickly, rails, etc to have short command line options to build
- the DIT. - Design is to use package postinst scripts to add the DITs.
- Recommend the base DIT follow the rfc2307bis.
- Where did the rfc2307bis.ldif file come from, was it part of another package?
- Current Server Guide uses nis.ldif, but rfc2307bis.ldif is a better way to go.
- Create base DIT during openldap-dit package installation.
- IDMap is samba specific and can be removed into the Samba sevice.
- Hosts is for Samba
- Check for System Accounts and System Groups before adding more service DITs.
- Another script to create add the replicator DIT.
- openldap-dit-core (depends on slapd) - creates suffix during package install
- user-group
- kerberos
- dhcp
- dns
Move databases LDIFs to acls directory. Done in revision 68.
- Provide best practices for developing DIT modules
- Standard way to provide schemas, modules, overlays, acls, base DIT structures
- Divide openldap-dit package into openldap-$service packages.
- Add the local sudo auth string to the first ACL frontend DIT.
- To modify ACL for new service:
- LDAP search for ACL to find last index number using grep -c.
- Do ldapmodify to replace the last number with the new ACL.
- Actions
- Create openldap-dit-core package.
- Create openldap-dit-usergroup package.
OpenLDAP-DIT (last edited 2010-06-08 13:29:31 by cOn244)