On Tue, 20 Jul 2010, masar...@aero.polimi.it wrote: > > > It turned out that the object cn=admin,dc=foo,dc=no had multiple > > occurances of "objectClass: organizationalRole" (!), and this also > > prevented syncrepl from working. I suspect it was a result of "manual" > > editing of ldif files followed by an import using slapadd. I get no > > warnings from slapadd when I import import objects with multiple > > occurances of the same objectClass. > > > > Perhaps slapadd/slapd should be able to deal with such duplicate > > entries better, to make it more obivous what's wrong? I'm just saying > > :) > > slapd(8) can handle those occurrences.
But does it handle it good enough, when it prevents replsync from working? > slapadd(8) is intended to load LDIF files generated by slapcat(8), thus > presumably consistent. And the file was indeed LDIF file generated by slapcat. Since slapd allows it, slapcat will also spit it out - when slapcat, slapadd and slapd all "handle it" without giving any warnings back to anyone, it's not so easy to detect errors. > In general, it deals with the most obvious errors. I don't think asking > slapadd to perform these checks is a good idea, as it would slow it down > without real benefit: if an error is caught, you would need to restart, > wasting all the actual write effort. I don't quite agree - as I understand it slapadd already does some sanity checking, how much overhead would a check for objectClass doublets imply? And I dont see why you would need to restart, on a doublet either spit out a warning, or even better - spit out a warning and discard the doublet. > A sanity check tool for unreliable LDIF would probably be more > appropriate. I guess at this point most users would pretend their LDIF > is always reliable, and avoid running the sanity checker... Really? Yes, I would love a sanity checker, and I would most likely _always_ run LDIF through a sanity checker before using slapadd to write to back-end. But again - slapadd already does some sanity checking, and there's even a flag for "dry-run" mode (-u) which IMO says that it is supposed to be used as a sanity checking tool. I'm perfectly OK to let _all_ sanity checks only occure when using -u. I would love to dump all my ldap data to an LDIF and run it through a sanity checker, I suspect there's more "old noise" stuck in there. Cheers! :) -- Kolbjørn Barmen UNINETT Driftsenter