ghudson@mit.edu wrote:
MIT krb5 has an LDAP back end for its KDC, which uses its own schema. Currently, we distribute just a .schema file for OpenLDAP, which isn't very friendly to a DS using back-config and slapd.d. I have some questions about how we might do better.
- For initial installs, I take it we should distribute a .ldif file
which can be loaded with ldapadd. If we continue to use our .schema file as the master source file for the time being, then I assume we'll want to convert that to the .ldif file using slaptest.
You could just convert them manually, as documented in the openldap.ldif file.
If we do that, should we remove the {n} prefix from the cn of the converted output, along with the metadata entries at the end, to match the style of the .ldif files in servers/slapd/schema?
Yes. As the Admin Guide and slapd-config(5) manpage already state, prefixes are generated automatically. You should not set them yourself on newly added data.
- If someone is upgrading to a version of krb5 which has new stuff
added to the schema, how should we facilitate that upgrade? I don't think the .ldif file mentioned above would be of much use, since ldapadd will refuse to change an existing entry and ldapmodify wants to see change records.
Put the additions into a new schema file/object. It's against standard practices to modify published schema.