Hi all,
I'm trying to add/remove schemas dynamically using the cn=config database (using slapd 2.4.23-7.2 on debian stable).
I'm connected to slapd with the SASL/External method as root and I'm able to search but delete breaks:
# ldapdelete -Y EXTERNAL -H ldapi:/// "cn={2}nis,cn=schema,cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_delete: Server is unwilling to perform (53)
The ACL seems correct to me:
# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcDatabase={0}config" olcAccess SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcDatabase={0}config,cn=config olcAccess: {0}to * by dn.exact=gidNumber=0 +uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break
So is it possible to remove a schema like this ? I should miss something...
Thank you
--On Friday, April 27, 2012 12:45 PM +0200 Jean-Philippe Braun eon@patapon.info wrote:
Hi all,
I'm trying to add/remove schemas dynamically using the cn=config database (using slapd 2.4.23-7.2 on debian stable).
a) You really should run a current version of OpenLDAP for numerous reasons.
So is it possible to remove a schema like this ? I should miss something...
b) there is no delete support in OL 2.4 for dynamic config. You can achieve this by:
stopping slapd using slapcat to export the dynamic config to LDIF Modifying the LDIF export to remove the schema in question Remove (or rename) your old dynamic config directory slapadd the updated LDIF start slapd
There cannot be any entries in your databases using that schema.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Le vendredi 27 avril 2012 à 08:12 -0700, Quanah Gibson-Mount a écrit :
--On Friday, April 27, 2012 12:45 PM +0200 Jean-Philippe Braun eon@patapon.info wrote:
Hi all,
I'm trying to add/remove schemas dynamically using the cn=config database (using slapd 2.4.23-7.2 on debian stable).
a) You really should run a current version of OpenLDAP for numerous reasons.
So is it possible to remove a schema like this ? I should miss something...
b) there is no delete support in OL 2.4 for dynamic config. You can achieve this by:
stopping slapd using slapcat to export the dynamic config to LDIF Modifying the LDIF export to remove the schema in question Remove (or rename) your old dynamic config directory slapadd the updated LDIF start slapd
There cannot be any entries in your databases using that schema.
Thanks.
Is this feature planned for OL future releases ?
--On Friday, April 27, 2012 7:46 PM +0200 Jean-Philippe Braun eon@patapon.info wrote:
There cannot be any entries in your databases using that schema.
Thanks.
Is this feature planned for OL future releases ?
There is experimental support for delete operations in the config database in later versions of OpenLDAP 2.4 if you explicitly enable it at build time. I would already advise you to upgrade to a current release, given the antiquated nature of what you're currently running, so if you wanted to experiment with said support, you could enable it when you upgraded.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On Friday, April 27, 2012 7:46 PM +0200 Jean-Philippe Braun eon@patapon.info wrote:
There cannot be any entries in your databases using that schema.
Thanks.
Is this feature planned for OL future releases ?
There is experimental support for delete operations in the config database in later versions of OpenLDAP 2.4 if you explicitly enable it at build time. I would already advise you to upgrade to a current release, given the antiquated nature of what you're currently running, so if you wanted to experiment with said support, you could enable it when you upgraded.
For disabling certain schema elements there's also OBSOLETE. This is a good idea anyway to avoid re-using OIDs.
Ciao, Michael.
openldap-technical@openldap.org
-
Jean-Philippe Braun -
Michael Ströder -
Quanah Gibson-Mount