best practice for global updates to all entries

["Mike Denka" <mdenk@whidbey.net>]

Mike Denka
WhidbeyNet
(360)341-0009

I have a situation where I need to add a new objectclass to every entry
in a very large subtree (15,564 entries requiring the change).  My
question has to do with the most efficient way of doing this.  I have a
master ldap server and two slaves.  I need this new objectclass to
appear on entries on the slaves also.  Here are the two alternatives
that I can see:

1) slapcat the whole directory on the master and run a script to add the
new objectclass to every entry (in the appropriate subtree).  Then
delete the existing db and slapadd the new ldif file back in.  Then go
to each slave and delete the existing db and slapadd the new ldif file.
The downside to this option is that I have to halt the ldap servers on
my slaves during the slapadd process and this will impact authentication
across my network.  Running slapadd can take time so the down time on
the network could be substantial.

2) run a script to run ldapmodify on each entry in the affected subtree
on the master.  I would sleep the script for 10 seconds or so between
each ldapmodify run to avoid stressing the master too much with
thousands of updates to itself and the slaves in a short period of time.
This avoids having to bring down the slaves and the master but it risks
stressing the master and slaves with all the updates and could take a
very long time to complete (using 10 second intervals, it would take
over 150,000 seconds, or 41 hours).  This seems like a pretty stupid
brute force method to me but it costs no downtime.

Could I get some expert opinions on the best way of handling a case like
this?  Is there a better way that I'm not aware of?

Thanks,

Mike