Full_Name: Quanah Gibson-Mount Version: OpenLDAP 2.4 OS: N/A URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) In OpenLDAP 2.4.43, a new attribute was added to the external ppolicy schema (ITS#8185). While this worked fine with older slapd.conf based configurations where the ppolicy schema file was replaced on upgrade, it was a complete and utter disaster for deployments using cn=config, as the ppolicy overlay references all the attributes defined in external ppolicy schema file. To be able to upgrade without failure, one would have export cn=config, update the binaries, update the ppolicy schema information in the exported cn=config database, re-import cn=config, and then start slapd. This broke the usual ability to do in-place upgrades with cn=config. Instead, the entire contents of the ppolicy.schema file should be internalized to the ppolicy overlay, similar to how the accesslog overlay is written, and the external ppolicy.schema file deleted. This will allow non-breaking upgrades for both slapd.conf and cn=config based configurations.
The root cause is that updating slapd with its default schema installed does not update existing content of cn=schema,cn=config. You have to tackle this root cause and not only solve it for a particular overlay. Your conclusion is to hard-code the ppolicy schema into the C code. If you think this to the end you have to move *all* standard schema installed to schema_prep.c. IMO this is bad design. But I'm not the one to decide on that. :-/ Ciao, Michael.
michael@stroeder.com wrote: > The root cause is that updating slapd with its default schema installed > does not update existing content of cn=schema,cn=config. > > You have to tackle this root cause and not only solve it for a > particular overlay. We could instead ship an update.ldif containing the mods between different schema versions, that must be applied with slapmodify during the update process... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On 11/17/18 11:35 AM, hyc@symas.com wrote: > We could instead ship an update.ldif containing the mods between > different schema versions, that must be applied with slapmodify > during the update process... IMO too many prerequisites must be perfectly full-filled and thus is too fragile. That's one of the things where e.g. OpenDS/OpenDJ does a much better job with its cn=config: The schema shipped with the server is stored in various LDIF files in a config directory along with file rootdse.ldif holding cn=config. Schema directly added by modifying cn=schema is sent to a separate user schema file. With such a layout the standard schema shipped with the software is not part of cn=config but can still be dynamically changed (by directly modifying subschema subentry). But there's always a way out of trouble because you can manually fix the separate LDIF schema file(s). Ciao, Michael.
--On Saturday, November 17, 2018 9:49 AM +0000 michael@stroeder.com wrote: > Your conclusion is to hard-code the ppolicy schema into the C code. > If you think this to the end you have to move *all* standard schema > installed to schema_prep.c. The above statement is simply not true. The difference here is the fact that the ppolicy binary has direct references to the schema in its code, which requires it to have matching schema prior to slapd being able to start. You can still start slapd when any schema (outside of the few items hard coded in schema_prep for the same reason) is different. You have the ability at that point to modify slapd via online operations post-upgrade. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>
--On Saturday, November 17, 2018 11:27 AM +0000 michael@stroeder.com wrote: > With such a layout the standard schema shipped with the software is not > part of cn=config but can still be dynamically changed (by directly > modifying subschema subentry). But there's always a way out of trouble > because you can manually fix the separate LDIF schema file(s). You can manually fix the ones stored in cn=config with OpenLDAP now, and you can also change it dynamically. I'm not sure how either of those statements address the problem discussed in this ITS. Quite frankly, I wrote a tool to automatically update the schema stored with cn=config so that it matched whatever was shipped in a given release on upgrade when I worked @ Zimbra: <https://github.com/Zimbra/zm-core-utils/blob/develop/src/libexec/zmldapschema> I.e., I don't really see what in the above is different from what you can do now, nor do I see how it resolves the issue of a binary compiled file that must have references to valid schema compiled into it. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>
In master, ppolicy now carries the schema internally. We still need to document the upgrade procedure for 2.5.
*** This issue has been marked as a duplicate of issue 9156 ***