OpenDS Integration into OpenSolaris [ LSARC/2008/691 FastTrack timeout 11/19/2008]

Gilles Bellaton Gilles.Bellaton at Sun.COM
Wed Nov 19 06:46:55 PST 2008 

Darren J Moffat wrote:
> Gilles Bellaton wrote:
>> Hi all,
>>
>> Please find a new proposal for OpenDS Integration into OpenSolaris 
>> integrating
>> (I hope) most of the comments.
>>
>> - OpenDS now install in /usr
>> - OpenDS now delivers SMF manifest
>> - OpenDS now use ldap user
>
> Why is the ldap user deliver as a locked account (*LK*) rather than an 
> non login account (NP) ?  Is there never a need to run cron jobs as 
> ldap user ?
>
> It think the ldap user should also be shipped as an RBAC role 
> (type=role in /etc/user_attr), like has been done for postgres and 
> zfssnap.
I've been following what has been done for the openLDAP case.
But I agree that your propositions looks better.

>
> Why are the schema files delivered in /usr/opends/config/schema/
> rather than /usr/share/lib/ldif/ ? Are they in a format specific to 
> opends ?
Yes, those files contains information that are specific to each LDAP 
server implementation.
> Does the existing kerberos.ldif file work for OpenDS ?
This file a not a schema file directly usable by an LDAP server but is a 
LDIF file
containing modifications of the schema that can be used by command line 
tools like
ldapmodify or openldapmodify to load the schema in any LDAP server.

It does not work with OpenDS. I believe this is because it does not 
comply with the LDIF
rules.

>
> Why is /var/opends not delivered in a package ?
1- so that the files in /var/opends can be owned by the user who is 
going to run the server.
2- it looks easier to have a single package with no dependencies.
> I would really like it if the only thing that had to be done before 
> populating the database with data was 'svcadm enable opends' 
> particularly for the case where it is likely to be used as the 
> namservice backend for ldap.  If the admin wants to put the data 
> somewhere else or make other config changes they are free to do so but 
> I'd really rather they weren't forced to do so in the default config 
> if possible.  However I won't hold up this case for that.
>
> What user id is supposed to run the opends/configure command ? ldap, 
> root, something else ?

The configure command must be run by somebody with the rights to write 
into /var/
it can be root or any user which has been given this privilege.

Gilles

More information about the opensolaris-arc mailing list