https://bugs.openldap.org/show_bug.cgi?id=9708
Issue ID: 9708 Summary: null (empty) attribute values of type Directory String pass the dry-run validation Product: OpenLDAP Version: 2.5.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: client tools Assignee: bugs@openldap.org Reporter: mheyman@symas.com Target Milestone: ---
On behalf of Aaron Bliss at Paychex ---- I'm pretty confident that I've identified a bug when running slapadd with the dry-run switch. As a step of migrating a given replica set from oDSEE to OpenLDAP, we of course make use of the dry-run switch after sanitizing a given oDSEE export. However on a few migrations I've noticed that null (empty) attribute values of type Directory String (which are illegal per the RFC) pass the dry-run validation. This becomes really problematic because a subsequent slapadd in which the quick switch is passed will load the invalid data into the database. I understand that loading a given ldif using the quick switch performs fewer consistency checks on the input data however with our largest dataset's, it's not viable for us to migrate a given replica set from oDSEE to OpenLDAP without using the quick switch (it would require an outage that's far longer than we can allow for on the customer side of things).
It makes total sense for sure that OpenLDAP will not allow for null values for this attribute type in keeping with the standard but unfortunately oDSEE allows for it as such we have to account for it. Would it be possible to catch the null attribute value scenario when performing a dry run and if so is there any way this could be prioritized (doing so would be of tremendous help to us)? If not then I'll have to write my own validation (not at all ideal) to check for this scenario but for sure would be better if slapadd can catch this condition. Thanks much as always.