Quanah Gibson-Mount writes:
demarco@maya.com wrote:
Is there a better way of adding a required attribute to an in-production objectclass?
Stop your server, export your database, use Perl's Net::LDAP::LDIF to add the attribute to every entry it applies to, put your updated schema on the server, and reload it with the updated LDIF file.
Or if that gives too long downtime, you can run slapd in read-only mode with the old database while rebuilding the new database:
Make a copy of slapd.conf, in which you add "readonly on" above the database directive and change "directory /foo/bar" to something like "directory /foo/bar.old". Then after stopping slapd and exporting your database: Rename your database directory to the ".old" location and restart slapd with -f <new conf>. Then take it down again when you're ready to restart with the new database and the original conf. Also, you might run slaptest on the new slapd before taking down the readonly slapd.
And when running slap tools, remember to suid to the user/group slapd will run as. The slapd -u/-g options don't work with slap tools.
Your original procedure lacked a step: Check that no users added an entry with some other tool than yours, one which doesn't add the attribute. If so, goto step 1.
But come to think of it, slapd will start fine if existing entires lack a "MUST" attribute. It doesn't read the entire database to check, after all. Maybe something will misbehave when trying to access such entries, I don't know. But maybe it'll work fine to restart the server with the MUST and add the actual attribute afterwards.