Howard Chu wrote:
Michael Ströder wrote:
From a practical standpoint - behavior of the service when clients are making requests to a backend that gets removed is totally undefined.
LDAP clients do not care about (OpenLDAP) database backends at all. They simply query a DIT.
Yes, but they expect to get consistent answers to their queries. You cannot make any assertions about consistency when the rug is pulled out from under a running query.
AFAICS the original poster wanted to replace back-shell with back-sock for the very same naming context. In theory this could be done with back-config - only requring a very small downtime - entry deletion in back-config would be possible.
It would require adding a suffix to one backend while removing it from another. Since this can't be done in a single LDAP request it would require wrapping both changes in a single LDAP Transaction.
Doing it non-atomically would invariably result in inexplicable client error messages as they send requests to an LDAP server that was "working fine before" but suddenly replies "no global superior knowledge".
Of course one would prevent clients from connecting before. That's what I meant with "requiring a very small downtime".
Well, the point is that deleting something in back-config has to be done with some care - just like other non-trivial configuration/schema/data changes - but should not be completely impossible.
Ciao, Michael.