Re: Invalid DN after schema change

[Michael Ströder <michael@stroeder.com>]

Howard Chu wrote:
> Michael Ströder wrote:
>> If one plays around with schema and an attribute type used in the RDN
>> of an entry is no longer present then this entry is no longer readable
>> because whenever a request is sent to slapd invalidDNSyntax is returned.
>> This leads to the situation that a client can't even explicitly delete
>> this offending entry anymore.
>>
>> I'd vote for relaxing the schema-based DN checking in case of search,
>> rename (only old DN), modify and delete requests a bit so that after a
>> schema change the data can be corrected with normal client tools without
>> server down-time.
>>
>> Any thoughts on this?
> 
> "Don't do that."

I expected you to say this but IMO it's not that simple.
It's sometimes required to remove schema elements in case of bad schema
design. I consider it one of the advantages of OpenLDAP that this is
possible. And in fact slapd starts without checking whether *existing*
entries all are compliant to the current schema. But then non-compliant
entries are not accessible anymore at all. So you can't clean up the
data via LDAP without down-time.

Cleaning up now requires
stopping slapd,
slapcat,
tweak LDIF,
slapadd,
start slapd

This can be a huge pain if the number of non-compliant entries are
rather small compared to the overall number of entries.

So still my suggestion is to distinguish validating a new DN from
validating a DN of an *existing* entry.

Ciao, Michael.