Hi!
I don't know who said "Ease of use, not ease of implementation is the design goal", but If one DN is used as a value for some attribute, and there's a "referential integrity module" to update such attributes if the underlying DN changes, it's hard to explain why it would work for some cases, but not for others. And to make things worse: It just fails silently.
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Tuesday, May 6, 2025 3:12 PM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Re: Re: using refint overlay for pwdPolicySubentry
On Tue, May 06, 2025 at 12:26:52PM +0000, Windl, Ulrich wrote:
Hi!
Oh well, the typical (data) administrator is using some frontend that just shows objects' attributes, and it may not be quite obvious which ones are "virtual": After all they (e.g. pwdPolicySubentry) are stored permanently in the database (and they are synced, fortunately).
Hi, if they are this likely to shoot themselves in the foot, it is prudent of you as the system administrator to set up internal documentation and/or access control so that they are not going to.
I'm afraid that's the only advice I can give you, it is impossible for the code to anticipate every eventuality.
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP