Michael Ströder wrote:
From a practical standpoint - behavior of the service when clients are making
requests to a backend that gets removed is totally undefined.
LDAP clients do not care about (OpenLDAP) database backends at all.
They simply query a DIT.
Yes, but they expect to get consistent answers to their queries. You cannot
make any assertions about consistency when the rug is pulled out from under a
running query.
AFAICS the original poster wanted to replace back-shell with back-sock for the
very same naming context. In theory this could be done with back-config - only
requring a very small downtime - entry deletion in back-config would be
possible.
It would require adding a suffix to one backend while removing it from
another. Since this can't be done in a single LDAP request it would require
wrapping both changes in a single LDAP Transaction.
Doing it non-atomically would invariably result in inexplicable client error
messages as they send requests to an LDAP server that was "working fine
before" but suddenly replies "no global superior knowledge".
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/