Hi Petter, On Mo 19 Aug 2019 12:56:11 CEST, Petter Reinholdtsen wrote:
[Mike Gabriel]The slapcat tool is an offline administration tool for LDAP and should not be used for day-to-day online tasks.Care to explain this argument a bit more? I fail to see why slapcat should have a different status from any other tools available, for use in day-to-day tasks as the developer see fit.
When using slapcat, you always dump the full local DB rather than searching for what you are looking for and leave the search to the DB.
The loop quoted below dumps the full LDAP db for each host listed in /etc/debian-edu/host-keytabs. This is something between 80-100 hosts here. And this happens whenever the admin clicks "OK" on a GOsa system (for modifications). So, this scales badly.
Is there some other reason not to use slapcat, in addition to it 'should not be used for day-to-day online tasks'?
The script runs as "root" and everything in LDAP gets shown to the script with slapcat (and is grepped out, but still). Furthermore, the full DB gets dumped several times repetetively and the script runs (after clicking "OK" on a GOsa system) whenever a host gets modified (which causes a long delay on a populated school LDAP DB.
Note, I have no idea why slapcat is used in the script to locate hosts: # cleanup from leftover host principals and keytab file:for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed 's#.intern.keytab##') ; doif slapcat | grep $i | grep -q dhcp ; then : else kadmin.local delprinc host/$i.intern@INTERN kadmin.local delprinc nfs/$i.intern@INTERN rm /etc/debian-edu/host-keytabs/$i.intern.keytab fi done
Using slapcat here is wrong, it should be proper LDAP db queries with specific search pattern.
I have no idea why Wolfgang decided to use slapcat instead of ldapsearch here. Perhaps to make sure he is operating on the local LDAP database, or because he did not have the LDAP connection details available in the script?
IMHO, the LDAP db will answer anonymous queries just right when it comes to DHCP hosts.
@Wolfgang: feedback? Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: firstname.lastname@example.org, http://das-netzwerkteam.de
Description: Digitale PGP-Signatur