[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: use ldif backup with operational attributes in conjunction with slapadd?



Hallvard Breien Furuseth wrote:
> On 2013-05-30 20:08, Quanah Gibson-Mount wrote:
>> <meike.stone@googlemail.com> wrote:
>>
>>> I want to preserve the operational attributes from the ldapsearch ldif
>>> (created with '+' '*').
>>> But I saw, that a ldapsearch ldif with operational attributes has a
>>> more operational attributes than from the slapcat ldif.
>>
>> An ldapsearch generated and slapcat generated LDIF of the same db
>> will be identical for *,+ for ldapsearch.  So your statement doesn't
>> really make much sense.
> 
> Sure it does. slapcat gives the raw data in LDIF format. ldapsearch
> runs it through overlays. It can generate dynamic attrs, rewrite,
> and reorder data. LDAP mostly leaves ordering unspecified.

Good point but...

> It could contain generated read-only attrs like memberOf.

..for better performance 'memberOf' is stored in the DB (and e.g. indexed) and
LDIF generated by slapcat indeed contains values of attribute 'memberOf'.

I'd be more worried about whether the identity used during ldapsearch has read
access to all attributes. LDAP access is subject to ACL checking whereas
slapcat is not.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature