Bug#935080: slapcat used in gosa hook script gosa-modify-host

To: Petter Reinholdtsen <pere@hungry.com>
Cc: 935080@bugs.debian.org
Subject: Bug#935080: slapcat used in gosa hook script gosa-modify-host
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Mon, 19 Aug 2019 13:33:31 +0000
Message-id: <[🔎] 20190819133331.Horde.gwWJpsFi63MXjs9mPXj2u2y@mail.das-netzwerkteam.de>
Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 935080@bugs.debian.org
In-reply-to: <[🔎] sa6a7c5s9tg.fsf@hjemme.reinholdtsen.name>
References: <[🔎] 20190819083037.Horde.B2vO3Q0tcNFxZiYwmHs7RIb@mail.das-netzwerkteam.de> <[🔎] sa6a7c5s9tg.fsf@hjemme.reinholdtsen.name> <[🔎] 20190819083037.Horde.B2vO3Q0tcNFxZiYwmHs7RIb@mail.das-netzwerkteam.de>

Hi Petter,

On  Mo 19 Aug 2019 12:56:11 CEST, Petter Reinholdtsen wrote:

[Mike Gabriel]

The slapcat tool is an offline administration tool for LDAP and should
not be used for day-to-day online tasks.


Care to explain this argument a bit more?  I fail to see why slapcat
should have a different status from any other tools available, for use
in day-to-day tasks as the developer see fit.

When using slapcat, you always dump the full local DB rather thansearching for what you are looking for and leave the search to the DB.

The loop quoted below dumps the full LDAP db for each host listed in/etc/debian-edu/host-keytabs. This is something between 80-100 hostshere. And this happens whenever the admin clicks "OK" on a GOsa system(for modifications). So, this scales badly.

Is there some other reason not to use slapcat, in addition to it 'should
not be used for day-to-day online tasks'?

The script runs as "root" and everything in LDAP gets shown to thescript with slapcat (and is grepped out, but still). Furthermore, thefull DB gets dumped several times repetetively and the script runs(after clicking "OK" on a GOsa system) whenever a host gets modified(which causes a long delay on a populated school LDAP DB.

Note, I have no idea why slapcat is used in the script to locate hosts:

# cleanup from leftover host principals and keytab file:

for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed's#.intern.keytab##') ; do

    if slapcat | grep $i | grep -q dhcp ; then
            :
        else
                kadmin.local delprinc host/$i.intern@INTERN
                kadmin.local delprinc nfs/$i.intern@INTERN
                rm /etc/debian-edu/host-keytabs/$i.intern.keytab
    fi
done

Using slapcat here is wrong, it should be proper LDAP db queries withspecific search pattern.

I have no idea why Wolfgang decided to use slapcat instead of ldapsearch
here.  Perhaps to make sure he is operating on the local LDAP database,
or because he did not have the LDAP connection details available in the
script?

IMHO, the LDAP db will answer anonymous queries just right when itcomes to DHCP hosts.


@Wolfgang: feedback?

Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpeBdm15b7k6.pgp
Description: Digitale PGP-Signatur

Reply to:

References:
- Bug#935080: slapcat used in gosa hook script gosa-modify-host
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Bug#935080: slapcat used in gosa hook script gosa-modify-host
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Bug#935080: slapcat used in gosa hook script gosa-modify-host
Next by Date: Re: debian-edu-doc 2.10.19: Please update debconf PO translation for the package debian-edu-doc
Previous by thread: Bug#935080: slapcat used in gosa hook script gosa-modify-host
Next by thread: Re: debian-edu-doc 2.10.19: Please update debconf PO translation for the package debian-edu-doc
Index(es):
- Date
- Thread