[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Updating a private schema (cn=config)?



Ralf Haferkamp writes:
> Am Donnerstag 11 Dezember 2008 16:39:24 schrieb Andrzej Jan Taramina:
>> That makes no sense. Checking to see if there are entries that depend on
>> the schema before attempting the delete and declining the delete if there
>> are such entries makes sense.
> 
> But is very time consuming and resource intensive. E.g. checking for the
> presence of an AttributeType requires a full scan of the database if
> that AttributeType is not indexed, I think.

An index would be insufficient for such a check, because a schema
element can be part of an attribute value.  The DN and "Name and
Optional UID" syntaxes contain attribute types.  Guide/Enhanced Guide
contain object classes (as does objectClass itself of course).  OID
contains either.

The schema attributes themselves must be checked, and inheritance.  Also
configuration, both config known to slapd like access control and that
known to modules like the attributes restricted by the "unique" overlay.

Or much of the latter could be dropped, in favor of a reference count or
garbage collection.  But either way, modules must provide a way to ask
them if they are using a schema element.

>> A blanket refusal to do such a delete is inappropriate, IMO.
> 
> But the safest option we can currently offer, IMO.

Could add a "trust me, I know what I'm doing" control.  slapd only
accepts potentially fatal cn=config changes if that control is set.

-- 
Hallvard