[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: So I finally upgraded from slurpd...

On Tue, 20 Jul 2010, masarati@aero.polimi.it wrote:

> > It turned out that the object cn=admin,dc=foo,dc=no had multiple
> > occurances of "objectClass: organizationalRole" (!), and this also
> > prevented syncrepl from working. I suspect it was a result of "manual"
> > editing of ldif files followed by an import using slapadd. I get no
> > warnings from slapadd when I import import objects with multiple
> > occurances of the same objectClass.
> >
> > Perhaps slapadd/slapd should be able to deal with such duplicate
> > entries better, to make it more obivous what's wrong? I'm just saying
> > :)
> slapd(8) can handle those occurrences.

But does it handle it good enough, when it prevents replsync from working?

> slapadd(8) is intended to load LDIF files generated by slapcat(8), thus
> presumably consistent.

And the file was indeed LDIF file generated by slapcat. Since slapd allows
it, slapcat will also spit it out - when slapcat, slapadd and slapd all
"handle it" without giving any warnings back to anyone, it's not so easy
to detect errors.

> In general, it deals with the most obvious errors.  I don't think asking
> slapadd to perform these checks is a good idea, as it would slow it down
> without real benefit: if an error is caught, you would need to restart,
> wasting all the actual write effort.

I don't quite agree - as I understand it slapadd already does some sanity
checking, how much overhead would a check for objectClass doublets imply?
And I dont see why you would need to restart, on a doublet either spit out
a warning, or even better - spit out a warning and discard the doublet.

> A sanity check tool for unreliable LDIF would probably be more
> appropriate.  I guess at this point most users would pretend their LDIF
> is always reliable, and avoid running the sanity checker...

Really? Yes, I would love a sanity checker, and I would most likely
_always_ run LDIF through a sanity checker before using slapadd to write
to back-end.

But again - slapadd already does some sanity checking, and there's even a
flag for "dry-run" mode (-u) which IMO says that it is supposed to be used
as a sanity checking tool. I'm perfectly OK to let _all_ sanity checks
only occure when using -u.

I would love to dump all my ldap data to an LDIF and run it through a
sanity checker, I suspect there's more "old noise" stuck in there.

Cheers! :)

Kolbjørn Barmen
UNINETT Driftsenter