Michael Ströder wrote:
Howard Chu wrote:
> Michael Ströder wrote:
>> If one plays around with schema and an attribute type used in the RDN
>> of an entry is no longer present then this entry is no longer readable
>> because whenever a request is sent to slapd invalidDNSyntax is returned.
>> This leads to the situation that a client can't even explicitly delete
>> this offending entry anymore.
>>
>> I'd vote for relaxing the schema-based DN checking in case of search,
>> rename (only old DN), modify and delete requests a bit so that after a
>> schema change the data can be corrected with normal client tools without
>> server down-time.
>>
>> Any thoughts on this?
>
> "Don't do that."
I expected you to say this but IMO it's not that simple.
It's sometimes required to remove schema elements in case of bad schema
design. I consider it one of the advantages of OpenLDAP that this is
possible. And in fact slapd starts without checking whether *existing*
entries all are compliant to the current schema. But then non-compliant
entries are not accessible anymore at all. So you can't clean up the
data via LDAP without down-time.
Then you should have been more careful and removed the offending entries
before removing the schema element.
This is somewhat analogous to an upgrade - you must slapcat using the old
software before deleting it and replacing it with the new software. If you saw
off the branch you're sitting on, you have no one else to blame when you fall
off the tree.
It's not much effort for you to ldapsearch (badattr=*) and delete/modify those
entries before you modify the schema.
Cleaning up now requires
stopping slapd,
slapcat,
tweak LDIF,
slapadd,
start slapd
This can be a huge pain if the number of non-compliant entries are
rather small compared to the overall number of entries.
Yes, and the fact that it is such a pain should discourage you from making
this mistake more than once.
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/