On Tue, Dec 4, 2012 at 2:08 PM, Tim Watts <tw@dionic.net> wrote:
In my case I would have to shelve ppolicy until all my clients had been converted - I have over 150 clients and 600 user accounts (under my control) but LDAP is not just used by PAM/NSS (if it were it would be easy) - there are undocumented usages in apache configs, Confluence, possibly webapps written in all manner of languages etc etc.

It's a real mess...

I agree.  It was a real mess for me.

I can give you a quick rundown of what I encountered.  I feel a bit guilty that I never submitted complete ITS reports, but I was too busy trying to recover from software that was suddenly crashing repeatedly and predictably once put into production.

back-relay and slapo-ppolicy, as you mentioned, crashed the server.

back-ldap and slapo-rwm would cause the server to crash if a certain malformed search filters were used (as a developer working on some code here discovered within the first day we were up and running.)

back-meta would cause the server to hang if there were an additional space in a search base (our old primary naming context was "o=lawrence berkeley laboratory,c=us" and a mail client user had "o=lawrence[space][space]berkeley lab,c=us" in his configuration.

Given some of the explanation I received after posting the first bug, I couldn't help but come to the conclusion that using any of the rewriting infrastructure in the wild was a bad idea.  And that's where I ended up.  So, we shortened the lifetime of our legacy naming context, wrote some additional synchronization tools, and just cranked up a new database with that content.

If you find a solution that works reliably, I'm all ears.

Greg