[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: core.schema



> 	I've successfully migrated from openldap 1.x to 2.x appart being able
> to include attributes like createTimestamp, modifyTimestamp,
> creatorsName and modifiersName.
> ( I get a something like
> 	ldap_add: Constraint violation
> 	additional info: no user modification allowed ).
> 
> 	I tried to include those attributes in objectclass Person with no
> success though.
> ( Getting the same error as above described ).
> 
> Could someone please enlighten me?
> 
> Thanks in advance,
> Hugo.
> 

It is incorrect to modify an operational attribute such as createtimestamp
or modifytimestamp.  They are maintained internally by the server.  OpenLDAP
1.2.x would silently discard attempts to modify these.

Nevertheless, I've had situations where I wanted to set these two particular
attributes, because I was restoring a user's object from a backup, and I
wanted the createtimestamp to reflect the original creation rather than
the time of the restoration.

Before I go on, I would first say that if I had my database to redesign
over again, I would not rely on the createtimestamp to give me that kind
of information.  I would add my own timestamp attribute which would not
be subject to the constraints of LDAP rules.

That said, there are basically 3 approaches you can use if you absolutely
must modify these values.

1. Dump your database to an LDIF file, edit the LDIF file and reload it.

2. Hack the source to bypass the constraint check.

3. Bring your server up as a slave.  Connect to it using the updatedn and
you'll be able to set those timestamps.  Then switch it back again.

#1 forces some server downtime.  #2 breaks the rules and specializes your
code.  #3 again requires downtime, and limited access (eg. most users
cannot write, they'll get referrals).

All three approaches have their drawbacks, but sometimes we admins have
to do nasty things to make things right.


Randy