[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Pkg-openldap-devel] new debconf template for openldap

Hi Justin,

Thank you for the review!

On Sat, Jan 07, 2017 at 10:10:16PM +0000, Justin B Rye wrote:
In the version of slapd about to be installed, the ppolicy overlay
requires the new pwdMaxRecordedFailure attribute to be defined in the
ppolicy schema. The schema contained in the cn=config database does not
currently include this attribute.

Expanding "ppolicy" and crushing everything else:

 In the new version of slapd, the Password Policy (ppolicy) overlay schema
 requires a defined pwdMaxRecordedFailure attribute, which is not present
 in the schema contained in the cn=config database.

I had to read this a few times. Initially I parsed "overlay schema" as a schema overlaid onto others, rather than an overlay and a related schema. Just to be clear, an overlay is a slapd plugin (a shared library), and the schema is configuration that supplies schema entities (primarily attribute types and object classes). "The schema" technically means the entire slapd schema collectively. "The ppolicy schema" is more colloquial and means either the subset of it used by the ppolicy overlay, or the schema fragment shipped in a file called "ppolicy.ldif" (normally these are equivalent).

I also realized it would probably be more correct to say "attribute type" and not just "attribute". (Attributes are things that have values; attribute types define their names and what the values can look like.)

This is all rather esoteric OpenLDAP-specific stuff, I realize. Sorry.

Anyway, my attempt at adjusting it:

In the new version of slapd, the Password Policy (ppolicy) overlay requires the schema to define the pwdMaxRecordedFailure attribute type, which is not present in the schema currently in use.

(Or would just "the schema currently in use" be okay?)

I think so. The context for that bit is that new users sometimes think the schema files shipped by the package represent the active configuration, while in reality those are only consulted at the time they're imported into the database. In this case it should be fine since we provide specific guidance.

Oh, I used apt-get source - hope the attached patch is useful.

That's perfect, thanks! Besides the paragraph I commented on above, I'll take the rest of your patch verbatim.

Reply to: