Howard Chu wrote: > Michael Ströder wrote: >>> From a practical standpoint - behavior of the service when clients are making >>> requests to a backend that gets removed is totally undefined. >> >> LDAP clients do not care about (OpenLDAP) database backends at all. >> They simply query a DIT. > > Yes, but they expect to get consistent answers to their queries. You cannot > make any assertions about consistency when the rug is pulled out from under a > running query. > >> AFAICS the original poster wanted to replace back-shell with back-sock for the >> very same naming context. In theory this could be done with back-config - only >> requring a very small downtime - entry deletion in back-config would be >> possible. > > It would require adding a suffix to one backend while removing it from > another. Since this can't be done in a single LDAP request it would require > wrapping both changes in a single LDAP Transaction. > > Doing it non-atomically would invariably result in inexplicable client error > messages as they send requests to an LDAP server that was "working fine > before" but suddenly replies "no global superior knowledge". Of course one would prevent clients from connecting before. That's what I meant with "requiring a very small downtime". Well, the point is that deleting something in back-config has to be done with some care - just like other non-trivial configuration/schema/data changes - but should not be completely impossible. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature