On Tue, Dec 4, 2012 at 2:08 PM, Tim Watts <[email protected]> wrote: > In my case I would have to shelve ppolicy until all my clients had been > converted - I have over 150 clients and 600 user accounts (under my > control) but LDAP is not just used by PAM/NSS (if it were it would be easy) > - there are undocumented usages in apache configs, Confluence, possibly > webapps written in all manner of languages etc etc. > > It's a real mess... >
I agree. It was a real mess for me. I can give you a quick rundown of what I encountered. I feel a bit guilty that I never submitted complete ITS reports, but I was too busy trying to recover from software that was suddenly crashing repeatedly and predictably once put into production. back-relay and slapo-ppolicy, as you mentioned, crashed the server. back-ldap and slapo-rwm would cause the server to crash if a certain malformed search filters were used (as a developer working on some code here discovered within the first day we were up and running.) back-meta would cause the server to hang if there were an additional space in a search base (our old primary naming context was "o=lawrence berkeley laboratory,c=us" and a mail client user had "o=lawrence[space][space]berkeley lab,c=us" in his configuration. Given some of the explanation I received after posting the first bug, I couldn't help but come to the conclusion that using any of the rewriting infrastructure in the wild was a bad idea. And that's where I ended up. So, we shortened the lifetime of our legacy naming context, wrote some additional synchronization tools, and just cranked up a new database with that content. If you find a solution that works reliably, I'm all ears. Greg
