1:45 a.m.
HI!
If one plays around with schema and an attribute type used in the RDN
of an entry is no longer present then this entry is no longer readable
because whenever a request is sent to slapd invalidDNSyntax is returned.
This leads to the situation that a client can't even explicitly delete
this offending entry anymore.
I'd vote for relaxing the schema-based DN checking in case of search,
rename (only old DN), modify and delete requests a bit so that after a
schema change the data can be corrected with normal client tools without
server down-time.
Any thoughts on this?
Ciao, Michael.
2:01 a.m.
Michael Ströder wrote:
HI!
If one plays around with schema and an attribute type used in the RDN
of an entry is no longer present then this entry is no longer readable
because whenever a request is sent to slapd invalidDNSyntax is returned.
This leads to the situation that a client can't even explicitly delete
this offending entry anymore.
I'd vote for relaxing the schema-based DN checking in case of search,
rename (only old DN), modify and delete requests a bit so that after a
schema change the data can be corrected with normal client tools without
server down-time.
Any thoughts on this?
"Don't do that."
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3:25 a.m.
Howard Chu wrote:
Michael Ströder wrote:
> If one plays around with schema and an attribute type used in the RDN
> of an entry is no longer present then this entry is no longer readable
> because whenever a request is sent to slapd invalidDNSyntax is returned.
> This leads to the situation that a client can't even explicitly delete
> this offending entry anymore.
>
> I'd vote for relaxing the schema-based DN checking in case of search,
> rename (only old DN), modify and delete requests a bit so that after a
> schema change the data can be corrected with normal client tools without
> server down-time.
>
> Any thoughts on this?
"Don't do that."
I expected you to say this but IMO it's not that simple.
It's sometimes required to remove schema elements in case of bad schema
design. I consider it one of the advantages of OpenLDAP that this is
possible. And in fact slapd starts without checking whether *existing*
entries all are compliant to the current schema. But then non-compliant
entries are not accessible anymore at all. So you can't clean up the
data via LDAP without down-time.
Cleaning up now requires
stopping slapd,
slapcat,
tweak LDIF,
slapadd,
start slapd
This can be a huge pain if the number of non-compliant entries are
rather small compared to the overall number of entries.
So still my suggestion is to distinguish validating a new DN from
validating a DN of an *existing* entry.
Ciao, Michael.
3:31 a.m.
Michael Ströder wrote:
Howard Chu wrote:
> Michael Ströder wrote:
>> If one plays around with schema and an attribute type used in the RDN
>> of an entry is no longer present then this entry is no longer readable
>> because whenever a request is sent to slapd invalidDNSyntax is returned.
>> This leads to the situation that a client can't even explicitly delete
>> this offending entry anymore.
>>
>> I'd vote for relaxing the schema-based DN checking in case of search,
>> rename (only old DN), modify and delete requests a bit so that after a
>> schema change the data can be corrected with normal client tools without
>> server down-time.
>>
>> Any thoughts on this?
>
> "Don't do that."
I expected you to say this but IMO it's not that simple.
It's sometimes required to remove schema elements in case of bad schema
design. I consider it one of the advantages of OpenLDAP that this is
possible. And in fact slapd starts without checking whether *existing*
entries all are compliant to the current schema. But then non-compliant
entries are not accessible anymore at all. So you can't clean up the
data via LDAP without down-time.
Then you should have been more careful and removed the offending entries
before removing the schema element.
This is somewhat analogous to an upgrade - you must slapcat using the old
software before deleting it and replacing it with the new software. If you saw
off the branch you're sitting on, you have no one else to blame when you fall
off the tree.
It's not much effort for you to ldapsearch (badattr=*) and delete/modify those
entries before you modify the schema.
Cleaning up now requires
stopping slapd,
slapcat,
tweak LDIF,
slapadd,
start slapd
This can be a huge pain if the number of non-compliant entries are
rather small compared to the overall number of entries.
Yes, and the fact that it is such a pain should discourage you from making
this mistake more than once.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
4:06 a.m.
Howard Chu wrote:
Michael Ströder wrote:
> Howard Chu wrote:
>> Michael Ströder wrote:
>>> If one plays around with schema and an attribute type used in the RDN
>>> of an entry is no longer present then this entry is no longer readable
>>> because whenever a request is sent to slapd invalidDNSyntax is
>>> returned.
>>> This leads to the situation that a client can't even explicitly delete
>>> this offending entry anymore.
>>>
>>> I'd vote for relaxing the schema-based DN checking in case of search,
>>> rename (only old DN), modify and delete requests a bit so that after a
>>> schema change the data can be corrected with normal client tools
>>> without
>>> server down-time.
>>>
>>> Any thoughts on this?
>>
>> "Don't do that."
>
> I expected you to say this but IMO it's not that simple.
> It's sometimes required to remove schema elements in case of bad schema
> design. I consider it one of the advantages of OpenLDAP that this is
> possible. And in fact slapd starts without checking whether *existing*
> entries all are compliant to the current schema. But then non-compliant
> entries are not accessible anymore at all. So you can't clean up the
> data via LDAP without down-time.
Then you should have been more careful and removed the offending entries
before removing the schema element.
Well, I know how to do things right. But sometimes I have to correct the
results of false procedures done by others... ;-)
Ciao, Michael.
4:22 a.m.
Michael Ströder wrote:
Howard Chu wrote:
> Then you should have been more careful and removed the offending entries
> before removing the schema element.
Well, I know how to do things right. But sometimes I have to correct the
results of false procedures done by others... ;-)
You can always re-add the missing schema elements and make your repairs...
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
4:23 a.m.
Howard Chu writes:
Michael Ströder wrote:
Then you should have been more careful and removed the offending entries
before removing the schema element.
First you may need to tweak access controls so someone can't insert a
new offending attribute after you've cleaned up. That'a a step more
"dangerous" (more serious mistakes are possible) than fiddling schema.
And stop any processes that can write them as rootdn. All in all,
dynamic schema changes can grow to be a rather big affair.
OTOH, with some schema changes you must slapcat/slapadd anyway.
E.g. if the syntax of an indexed attribute is changed. Supposedly
that should not happen, but in real life it does. And not only with
private schema, so the LDAP admin might not have any blame for that.
This is somewhat analogous to an upgrade - you must slapcat using
the
old software before deleting it and replacing it with the new
software. If you saw off the branch you're sitting on, you have no one
else to blame when you fall off the tree.
That does depend on how easy it is to saw off the branch without sitting
on it. OpenLDAP can take some credit/blame for that one.
In any case, from user perspective I'd favor a control which relaxes
schema requirements when parsing entries, but it should not be on by
default. From an OpenLDAP-internals perspective, such bogus DNs may
be less thrilling. Haven't looked too closely, but OpenLDAP code does
sometimes assume that internal operations like parsing an entry's DN
will succeed.
--
Hallvard
5045
days inactive
5045
days old
6 comments
3 participants
participants (3)
-
Hallvard B Furuseth -
Howard Chu -
Michael Ströder