Howard Chu wrote:
Michael Ströder wrote:
If one plays around with schema and an attribute type used in the RDN of an entry is no longer present then this entry is no longer readable because whenever a request is sent to slapd invalidDNSyntax is returned. This leads to the situation that a client can't even explicitly delete this offending entry anymore.
I'd vote for relaxing the schema-based DN checking in case of search, rename (only old DN), modify and delete requests a bit so that after a schema change the data can be corrected with normal client tools without server down-time.
Any thoughts on this?
"Don't do that."
I expected you to say this but IMO it's not that simple. It's sometimes required to remove schema elements in case of bad schema design. I consider it one of the advantages of OpenLDAP that this is possible. And in fact slapd starts without checking whether *existing* entries all are compliant to the current schema. But then non-compliant entries are not accessible anymore at all. So you can't clean up the data via LDAP without down-time.
Cleaning up now requires stopping slapd, slapcat, tweak LDIF, slapadd, start slapd
This can be a huge pain if the number of non-compliant entries are rather small compared to the overall number of entries.
So still my suggestion is to distinguish validating a new DN from validating a DN of an *existing* entry.
Ciao, Michael.