[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#935080: slapcat used in gosa hook script gosa-modify-host

Hi Petter,

On  Mo 19 Aug 2019 12:56:11 CEST, Petter Reinholdtsen wrote:

[Mike Gabriel]
The slapcat tool is an offline administration tool for LDAP and should
not be used for day-to-day online tasks.

Care to explain this argument a bit more?  I fail to see why slapcat
should have a different status from any other tools available, for use
in day-to-day tasks as the developer see fit.

When using slapcat, you always dump the full local DB rather than searching for what you are looking for and leave the search to the DB.

The loop quoted below dumps the full LDAP db for each host listed in /etc/debian-edu/host-keytabs. This is something between 80-100 hosts here. And this happens whenever the admin clicks "OK" on a GOsa system (for modifications). So, this scales badly.

Is there some other reason not to use slapcat, in addition to it 'should
not be used for day-to-day online tasks'?

The script runs as "root" and everything in LDAP gets shown to the script with slapcat (and is grepped out, but still). Furthermore, the full DB gets dumped several times repetetively and the script runs (after clicking "OK" on a GOsa system) whenever a host gets modified (which causes a long delay on a populated school LDAP DB.

Note, I have no idea why slapcat is used in the script to locate hosts:

# cleanup from leftover host principals and keytab file:
for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed 's#.intern.keytab##') ; do
    if slapcat | grep $i | grep -q dhcp ; then
                kadmin.local delprinc host/$i.intern@INTERN
                kadmin.local delprinc nfs/$i.intern@INTERN
                rm /etc/debian-edu/host-keytabs/$i.intern.keytab

Using slapcat here is wrong, it should be proper LDAP db queries with specific search pattern.

I have no idea why Wolfgang decided to use slapcat instead of ldapsearch
here.  Perhaps to make sure he is operating on the local LDAP database,
or because he did not have the LDAP connection details available in the

IMHO, the LDAP db will answer anonymous queries just right when it comes to DHCP hosts.

@Wolfgang: feedback?


c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpeBdm15b7k6.pgp
Description: Digitale PGP-Signatur

Reply to: