On Tue, Dec 4, 2012 at 2:08 PM, Tim Watts tw@dionic.net wrote:
In my case I would have to shelve ppolicy until all my clients had been converted - I have over 150 clients and 600 user accounts (under my control) but LDAP is not just used by PAM/NSS (if it were it would be easy)
- there are undocumented usages in apache configs, Confluence, possibly
webapps written in all manner of languages etc etc.
It's a real mess...
I agree. It was a real mess for me.
I can give you a quick rundown of what I encountered. I feel a bit guilty that I never submitted complete ITS reports, but I was too busy trying to recover from software that was suddenly crashing repeatedly and predictably once put into production.
back-relay and slapo-ppolicy, as you mentioned, crashed the server.
back-ldap and slapo-rwm would cause the server to crash if a certain malformed search filters were used (as a developer working on some code here discovered within the first day we were up and running.)
back-meta would cause the server to hang if there were an additional space in a search base (our old primary naming context was "o=lawrence berkeley laboratory,c=us" and a mail client user had "o=lawrence[space][space]berkeley lab,c=us" in his configuration.
Given some of the explanation I received after posting the first bug, I couldn't help but come to the conclusion that using any of the rewriting infrastructure in the wild was a bad idea. And that's where I ended up. So, we shortened the lifetime of our legacy naming context, wrote some additional synchronization tools, and just cranked up a new database with that content.
If you find a solution that works reliably, I'm all ears.
Greg