Quanah Gibson-Mount writes:
> Is there a better way of adding a required attribute to an
> in-production objectclass?
Stop your server, export your database, use Perl's Net::LDAP::LDIF to add
the attribute to every entry it applies to, put your updated schema on the
server, and reload it with the updated LDIF file.
Or if that gives too long downtime, you can run slapd in read-only mode
with the old database while rebuilding the new database:
Make a copy of slapd.conf, in which you add "readonly on" above the
database directive and change "directory /foo/bar" to something like
"directory /foo/bar.old". Then after stopping slapd and exporting your
database: Rename your database directory to the ".old" location and
restart slapd with -f <new conf>. Then take it down again when you're
ready to restart with the new database and the original conf. Also, you
might run slaptest on the new slapd before taking down the readonly
And when running slap tools, remember to suid to the user/group slapd
will run as. The slapd -u/-g options don't work with slap tools.
Your original procedure lacked a step: Check that no users added an
entry with some other tool than yours, one which doesn't add the
attribute. If so, goto step 1.
But come to think of it, slapd will start fine if existing entires lack
a "MUST" attribute. It doesn't read the entire database to check, after
all. Maybe something will misbehave when trying to access such entries,
I don't know. But maybe it'll work fine to restart the server with the
MUST and add the actual attribute afterwards.