hi,
I have a question concerning the best method to modify an entry (in openldap) using a programming API like php.
php offers the ability to modify an entry using some fucntions like ldap_modify, ldap_mod_add, ldap_mod_del. sometimes it's complicated to use these functions, in this case, developpers use another approach, which is deleting the entry and then add it with the new attributes etc.
my question is: is it fine to delete an entry and re-add it?? does this affect the performance of openLDAP?
thank you
daniel rahmeh wrote:
I have a question concerning the best method to modify an entry (in openldap) using a programming API like php.
php offers the ability to modify an entry using some fucntions like ldap_modify, ldap_mod_add, ldap_mod_del. sometimes it's complicated to use these functions, in this case, developpers use another approach, which is deleting the entry and then add it with the new attributes etc.
What do you mean with complicated?
my question is: is it fine to delete an entry and re-add it?? does this affect the performance of openLDAP?
I consider this to be bad practice: 1. A new entry gets a new entryUUID which definitely leads to a new entry being replicated. Note that some other legacy sync mechanisms might also rely on entryUUID being constant for a given entity represented by the entry. 2. The directory server might do some other things hidden to the application with other operational attributes (e.g. MS AD). This might lead to user accounts being deactivated when being re-added etc.
In python-ldap there is a function ldap.modlist.modifyModlist() which generates a diff (list of modifications) of an old an a new entry which can be passed to method LDAPObject.modify(). Maybe something like this could be implemented in PHP to make it more easier.
Ciao, Michael.
Michael Ströder wrote:
my question is: is it fine to delete an entry and re-add it?? does this affect the performance of openLDAP?
I consider this to be bad practice:
- A new entry gets a new entryUUID which definitely leads to a new
entry being replicated. Note that some other legacy sync mechanisms might also rely on entryUUID being constant for a given entity represented by the entry. 2. The directory server might do some other things hidden to the application with other operational attributes (e.g. MS AD). This might lead to user accounts being deactivated when being re-added etc.
3. If your ACLs define write-only passwords like I usually do with OpenLDAP or like MS AD does it then you don't have a chance to re-add the fully activated entry even when connecting as admin user.
Ciao, Michael.
Hi Michael,
Thank you, we are going to define a modification strategy based on updating the entry in order to avoid deleting then recreating it
Have a nice day
Daniel
On Thu, Jul 17, 2008 at 1:26 PM, Michael Ströder michael@stroeder.com wrote:
Michael Ströder wrote:
my question is: is it fine to delete an entry and re-add it?? does this affect the performance of openLDAP?
I consider this to be bad practice:
- A new entry gets a new entryUUID which definitely leads to a new entry
being replicated. Note that some other legacy sync mechanisms might also rely on entryUUID being constant for a given entity represented by the entry. 2. The directory server might do some other things hidden to the application with other operational attributes (e.g. MS AD). This might lead to user accounts being deactivated when being re-added etc.
- If your ACLs define write-only passwords like I usually do with OpenLDAP
or like MS AD does it then you don't have a chance to re-add the fully activated entry even when connecting as admin user.
Ciao, Michael.
openldap-technical@openldap.org
-
daniel rahmeh -
Michael Ströder