Hi,
I am unable to find a simple tool which fulfils the following
requirement:
As a directory administrator, I'd like to maintain the
structure of a LDAP directory (Groups / OUs) over time using
flat files checked into a VCS (version control system).
What I'm looking for is basically the equivalent of database schema
migrations[1] as implemented in many OSS web frameworks but for LDAP
(E.g., Rails: rake db:migrate, Django: django-admin migrate, etc.).
In a very basic implementation such a tool would take a directory full
of ldif files named according to the following scheme:
YYYY-MM-DD-NNN-whatever-{UP,DOWN}.ldif (where NNN is a serial and UP or
DOWN denote whether the file should be applied when installing and
removing a migration respectively). When run the tool would check the
last version applied to the LDAP directory. After that it figures out
which migrations need to be applied and then runs ldapmodify once for
each file in the proper sequence.
If you know such a tool, then please point me towards it.
Cheers,
Lorenz
1) https://en.wikipedia.org/wiki/Schema_migration
On Sun, 2021-07-25 at 13:10 +0200, Lorenz Schori via samba wrote:> Hi, > > I am unable to find a simple tool which fulfils the following > requirement: > > As a directory administrator, I'd like to maintain the > structure of a LDAP directory (Groups / OUs) over time using > flat files checked into a VCS (version control system). > > What I'm looking for is basically the equivalent of database schema > migrations[1] as implemented in many OSS web frameworks but for LDAP > (E.g., Rails: rake db:migrate, Django: django-admin migrate, etc.). > > In a very basic implementation such a tool would take a directory > full > of ldif files named according to the following scheme: > YYYY-MM-DD-NNN-whatever-{UP,DOWN}.ldif (where NNN is a serial and UP > or > DOWN denote whether the file should be applied when installing and > removing a migration respectively). When run the tool would check the > last version applied to the LDAP directory. After that it figures out > which migrations need to be applied and then runs ldapmodify once for > each file in the proper sequence. > > If you know such a tool, then please point me towards it.Whilst I can understand the logic behind this, what are you going to read this with and is Samba involved . If Samba is involved, then I probably should mention that apart from a Samba AD DC (where once something is added to the schema, it cannot be removed), Samba only really uses ldap for NT4-style domains and they are now deprecated and work is ongoing to remove them. This means that if you are actively developing something that relies on Samba and ldap, then you could be wasting your time, you could develop it and then find you have no clients. Rowland
On Sun, 2021-07-25 at 13:10 +0200, Lorenz Schori via samba wrote:> Hi, > > I am unable to find a simple tool which fulfils the following > requirement: > > As a directory administrator, I'd like to maintain the > structure of a LDAP directory (Groups / OUs) over time using > flat files checked into a VCS (version control system). > > What I'm looking for is basically the equivalent of database schema > migrations[1] as implemented in many OSS web frameworks but for LDAP > (E.g., Rails: rake db:migrate, Django: django-admin migrate, etc.). > > In a very basic implementation such a tool would take a directory > full > of ldif files named according to the following scheme: > YYYY-MM-DD-NNN-whatever-{UP,DOWN}.ldif (where NNN is a serial and UP > or > DOWN denote whether the file should be applied when installing and > removing a migration respectively). When run the tool would check the > last version applied to the LDAP directory. After that it figures out > which migrations need to be applied and then runs ldapmodify once for > each file in the proper sequence. > > If you know such a tool, then please point me towards it.Thanks for your question Lorenz, This - proper VCS-style change control - really is a big gap in LDAP and AD world. Sadly these directories and the whole structure came around about a decade later. We saw this most spectacularly in OpenLDAP which finished the march to in-directory configuration (which was considered a really good idea in the early 2000s) just as Puppet et al arrived in the early 2010s. This means we don't record who changes what and why, and because the administrative and the user interfaces are the same - delineated only by ACLs - can't really either. Which is a real pity! But while it would be a massive task, Samba is free software and in this increasingly dangerous world a verifiable log of changes would be an incredible unique-to-Samba feature. Not something I can suggest is suddenly on anybody's funded roadmap, but I for one would gladly assist anybody who wanted to make an attempt. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions