removing previously stored generated attributes

Andrew Bartlett abartlet at samba.org
Fri Jun 4 17:49:22 MDT 2010 

On Fri, 2010-06-04 at 17:09 +0400, Matthieu Patou wrote:
> Hi Andrew,
> On 04/06/2010 15:48, Andrew Bartlett wrote:
> > On Fri, 2010-06-04 at 09:53 +0400, Matthieu Patou wrote:
> >    
> >> Hello,
> >>
> >> While trying to do it with msds-keyversionnumber I find the pb far from
> >> being trivial.
> >>
> >> The thing is that with a given provision we have some attributes that
> >> are marked as automatically generated and that used to be stored in the
> >> database.
> >> A search with an "old" provision but new code will return the calculated
> >> attribute what ever the stored version is.
> >> So to access to the stored version I have the impression that I should
> >> go without the modules and access the ldb at the low level.
> >>
> >> Well accessing at low level is not such big problem I think, but if we
> >> want also to get rid of previously stored values we have also to remove
> >> old version.
> >>
> >> I can really well remember andrew B. saying that this should not be done
> >> otherwise we have the risk to broke or mess indexes.
> >>      
> > Correct.  It is quite dangerous to access the DB for write access
> > without the schema loaded.
> >    
> Well loading the schema is useless without the modules I guess. What is 
> the risk when messing with not anymore used attribute ?

If a reindex is somehow triggered, yes. 

> >    
> >> I suppose the risk is still valid in general, is it also still the case
> >> for attributes that are not fetched from the database ?
> >>
> >> If so as I want to release a new version of upgradeprovision soon, is it
> >> acceptable to not remove old attributes (can be in next releases).
> >>      
> > This is quite acceptable.
> 
> > To see the DB without the generated
> > attributes, simply don't search for them by name (you only get stored
> > attributes with *), or we can add an internal-only control if needed for
> > greater certainty.
> >
> >    
> I'm not 100% sure because it seems that if you don't specify this 
> attribute then ldbsearch didn't return it.

Yes, because the 'operational' module is told to ensure it isn't
returned.  (also parentguid). 

> So it seems basically it seems that the solutions left are one more 
> controls, or low level read.

A custom control to stop this behaviour in the operational module would
seem to be the right thing. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100605/618869c6/attachment.pgp>

More information about the samba-technical mailing list