[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Migrating from slapd 2.3 to 2.4

To: openldap-technical@openldap.org
Subject: Re: Migrating from slapd 2.3 to 2.4
From: harry.jede@arcor.de
Date: Wed, 23 May 2012 21:38:57 +0200
Cc: Nick Milas <nick@eurobjects.com>
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=arcor.de; s=mail-in; t=1337801938; bh=Dph+6Hq668yo6U3d2RE0oAM9jvnSyLAjbBI0bIYKoaE=; h=From:To:Subject:Date:Cc:References:In-Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Message-Id; b=ffa3ki/QDo33YzD2gw+CyyU4ZPhjv0xMgRanCGg4C1PnryacFsTZBGBVpFon6rxVv 2vSWmiAtUzRaUMe5cjV90IeZXSgxVEi78CKrnUvm9JfVUWHBeKEDHEBPljFNhI6c3i L9UE+QB+2Ba59DpebLgSijomFyd3FlfpRbYll3Gk=
In-reply-to: <4FBCB353.4000002@eurobjects.com>
References: <4F16DAFA-3CF8-4676-903A-73BFAEE22E57@krupczak.org> <7BB15541AB9B2BEC7F36A62B@quanah-mac.local> <4FBCB353.4000002@eurobjects.com>
User-agent: KMail/1.13.5 (Linux/2.6.32-5-amd64; KDE/4.4.5; x86_64; ; )

Nick Milas wrote:
> If a non-root DN is used for replication, then only
> the parts of the DIT that are accessible by that DN will be
> replicated.
> 
> Additionally, slapcat outputs operational attributes too, which I
> think can not be identical on both ends.
Because it is possible to initialize a replica with a slapcat output,
we need all attributes which are in this output. All other
operational attributes are not needed.

I have not done this in practice but I believe one may try it this way.

Assume you have an entry cn=111. So we slapcat this entry and
do a temporarely search. attributes which are in slapcat and NOT in
search must be added to the final search. Then compare the output of both
operations.

slapcat  -n1 -H 'ldap:///???(cn=111)'  2>/dev/null |cut -d: -f1
dn
cn
objectClass
UIFtype
UIFsource
structuralObjectClass
entryUUID
creatorsName
createTimestamp
entryCSN
modifiersName
modifyTimestamp

ldapsearch -xAMMLLL 'cn=111' '*'  2>/dev/null |cut -d: -f1
dn
cn
objectClass
UIFtype
UIFsource

In this case, a db which is not a replica, we must add
this attributes:
structuralObjectClass entryUUID creatorsName createTimestamp entryCSN modifiersName modifyTimestamp

so the final search is:
ldapsearch -xMMLLL 'cn=111' '*' structuralObjectClass entryUUID creatorsName createTimestamp entryCSN modifiersName 
modifyTimestamp  2>/dev/null 

The used switches MM and LLL are important.

So now we have a way to partial slapcat a DIT and do a search which
produces the same result if the user who is doing the search, has
the rights to see all attributes.

Use the mentioned perl tools to sort and diff the output.

-- 

Harry Jede

Follow-Ups:
- Re: Migrating from slapd 2.3 to 2.4
  - From: Nick Milas <nick@eurobjects.com>

References:
- Re: Migrating from slapd 2.3 to 2.4
  - From: Bobby Krupczak <rdk@krupczak.org>
- Re: Migrating from slapd 2.3 to 2.4
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Migrating from slapd 2.3 to 2.4
  - From: Nick Milas <nick@eurobjects.com>

Prev by Date: Re: ACL control with break
Next by Date: Re: ACL control with break
Index(es):
- Chronological
- Thread