Provide a method to create a basic level DIT for OpenLDAP. The openldap-dit project currently has a script that provides a very extensive DIT. This spec will cover using either the openldap-dit package or a version of it to provide a basic DIT for OpenLDAP.

Release Note



The slapd package no longer has the ability to create a basic level Directory Information Tree, which is a burden for users not very familiar with OpenLDAP. This can also be seen as a regression from previous versions of the package.

The current slapd package is not very useful for a substantial amount of users because it does not provide a basic level DIT.

User stories

From bug 442498:

The lack of a simple way of setting up a working basic ldap-service is a serious problem. I've basically resigned to either using a really old package that's not broken in this way or just forgetting about ldap in ubuntu.

What's the reasoning behind upgrading a package from "too old" to "unusable" ?

Also from Derek Simkowiak:

In my opionion, the new (useless) slapd package should not have shipped until the accompanying slapd-dit was ready. It basically broke LDAP for everyone but experts, and now Mathias doesn't have time to fix it.

Mathias, can you make slapd-dit a priority? It's been several months since a usable slapd has been available for Ubuntu.


  • The can be modified to provide only a base level DIT.


  • Create a opneldap-dit-core package that will create a very basic DIT.
  • Create openldap-dit-$service packages for adding modules, schemas, acls, etc for additional services.
    • openldap-dit-userandgroups
    • openldap-dit-replication
    • openldap-dit-samba
    • openldap-dit-mit-kerberos
    • openldap-dit-sudo
    • openldap-dit-postfix
    • openldap-dit-dns
    • openldap-dit-dhcp
    • openldap-dit-autofs
  • Use standard directory structure and file names for the needed LDIF files to allow easy addition of new services.


  • Get the openldap-dit-split branch, or a version of it, merged into the openldap-dit trunk branch.

  • Create a directory for each service containing $service-dit.ldif, $service-modules.ldif, $service-acls.ldif, etc.

  • Migrate the script to a postinst script.
  • Use debconf to prompt the user for domain and admin password information in the openldap-dit-core package.
  • postinst should check the current DIT before adding additional modules, acls, etc.

UI Changes

  • will be integrated into various openldap-dit-$service package's postinst scripts.
  • Maybe a new script will be able to setup syncing in a few quick commands.

Code Changes

  • Migrate to package postinst.


Test/Demo Plan

  • Install slapd and ldap-utils packages.
  • Install the openldap-dit package.
  • Execute the /usr/share/slapd/openldap-dit/ script.
  • Upon successful completion of the script a basic DIT should be created.
  • View the Directory with: ldapsearch -xLLL -b $suffix
    • $suffix will be determined by the hosts domain name, or manually entered by the user.

Unresolved issues

BoF agenda and discussion

  • Discuss direction of openldap-dit project.
  • Propose to modularize - Approved
  • Determine what objects are needed for base level DIT. - Did some, but may need more discussion or clarification.
  • Is there ways to integrate DIT creation/management with puppet? - probably don't need since it will be postinst.
  • Design the tool like quickly, rails, etc to have short command line options to build
    • the DIT. - Design is to use package postinst scripts to add the DITs.
  • Recommend the base DIT follow the rfc2307bis.
    • Where did the rfc2307bis.ldif file come from, was it part of another package?
    • Current Server Guide uses nis.ldif, but rfc2307bis.ldif is a better way to go.
  • Create base DIT during openldap-dit package installation.
  • IDMap is samba specific and can be removed into the Samba sevice.
    • Hosts is for Samba
  • Check for System Accounts and System Groups before adding more service DITs.
  • Another script to create add the replicator DIT.
  • openldap-dit-core (depends on slapd) - creates suffix during package install
    • user-group
    • kerberos
    • dhcp
    • dns
  • Move databases LDIFs to acls directory. Done in revision 68.

  • Provide best practices for developing DIT modules
    • Standard way to provide schemas, modules, overlays, acls, base DIT structures
  • Divide openldap-dit package into openldap-$service packages.
    • Add the local sudo auth string to the first ACL frontend DIT.
  • To modify ACL for new service:
    • LDAP search for ACL to find last index number using grep -c.
    • Do ldapmodify to replace the last number with the new ACL.
  • Actions
    • Create openldap-dit-core package.
    • Create openldap-dit-usergroup package.


OpenLDAP-DIT (last edited 2010-06-08 13:29:31 by cOn244)