Re: Fwd: Re: Make /etc/default/slapd automatically configurable

To: Luk Claes <luk@debian.org>
Cc: debian-edu@lists.debian.org, 370337@bugs.debian.org
Subject: Re: Fwd: Re: Make /etc/default/slapd automatically configurable
From: "Andreas B. Mundt" <andi.mundt@web.de>
Date: Mon, 9 Aug 2010 23:59:53 +0200
Message-id: <[🔎] 20100809215953.GA5045@siddhartha.sunshine>
In-reply-to: <[🔎] 4C5ED453.2070100@debian.org>
References: <[🔎] 4C5ED453.2070100@debian.org>

On Sun, Aug 08, 2010 at 05:59:15PM +0200, Luk Claes wrote:
> Hi
> 
> Can someone more involved with Debian Edu have a look at this, TIA?

[...]

> This bug is open for a long time now, what reasonable defaults are
> needed for debian-edu ?
> 
> I've attached the default file currently shipped with OpenLDAP.

[...]

Here are the modifications needed/done by debian-edu: 

> # Default location of the slapd.conf file. If empty, use the compiled-in
> # default (/etc/ldap/slapd.conf). If using the cn=config backend to store
> # configuration in LDIF, set this variable to the directory containing the
> # cn=config data.
> SLAPD_CONF=
> 
> # System account to run the slapd server under. If empty the server
> # will run as root.
> SLAPD_USER="openldap"
> 
> # System group to run the slapd server under. If empty the server will
> # run in the primary group of its user.
> SLAPD_GROUP="openldap"
> 
> # Path to the pid file of the slapd server. If not set the init.d script
> # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
> # default)
> SLAPD_PIDFILE=
> 
> # slapd normally serves ldap only on all TCP-ports 389. slapd can also
> # service requests on TCP-port 636 (ldaps) and requests via unix
> # sockets.
> # Example usage:
> # SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
> SLAPD_SERVICES="ldap:/// ldapi:///"

We currently add the deprecated ldaps:/// protocoll here:

SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"

It would be nice if we would not need ldaps and could only use
TLS. This has to be checked.

> # If SLAPD_NO_START is set, the init script will not start or restart
> # slapd (but stop will still work).  Uncomment this if you are
> # starting slapd via some other means or if you don't want slapd normally
> # started at boot.
> #SLAPD_NO_START=1
> 
> # If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
> # the init script will not start or restart slapd (but stop will still
> # work).  Use this for temporarily disabling startup of slapd (when doing
> # maintenance, for example, or through a configuration management system)
> # when you don't want to edit a configuration file.
> SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
> 
> # For Kerberos authentication (via SASL), slapd by default uses the system
> # keytab file (/etc/krb5.keytab).  To use a different keytab file,
> # uncomment this line and change the path.
> #export KRB5_KTNAME=/etc/krb5.keytab

We add: 
KRB5_KTNAME=/etc/krb5.keytab.ldap; export KRB5_KTNAME
here. We do not use the default keytab file because the user openldap
needs to have read permissions on that file.

> # Additional options to pass to slapd
> SLAPD_OPTIONS=""
> 
We use: 
SLAPD_OPTIONS="-4"
here, which might be there for traditional reasons.

I am currently not able to test the entries as I have no debian-edu
installation around for the time being.

Best regards,

     Andi

Reply to:

Follow-Ups:
- Re: Fwd: Re: Make /etc/default/slapd automatically configurable
  - From: Petter Reinholdtsen <pere@hungry.com>

References:
- Fwd: Re: Make /etc/default/slapd automatically configurable
  - From: Luk Claes <luk@debian.org>

Prev by Date: PXE vs DVD installation - the package difference
Next by Date: Re: Fwd: Re: Make /etc/default/slapd automatically configurable
Previous by thread: Fwd: Re: Make /etc/default/slapd automatically configurable
Next by thread: Re: Fwd: Re: Make /etc/default/slapd automatically configurable
Index(es):
- Date
- Thread