Hi! I don't know who said "Ease of use, not ease of implementation is the design goal", but If one DN is used as a value for some attribute, and there's a "referential integrity module" to update such attributes if the underlying DN changes, it's hard to explain why it would work for some cases, but not for others. And to make things worse: It just fails silently.
Kind regards, Ulrich Windl > -----Original Message----- > From: Ondřej Kuzník <on...@mistotebe.net> > Sent: Tuesday, May 6, 2025 3:12 PM > To: Windl, Ulrich <u.wi...@ukr.de> > Cc: openldap-technical@openldap.org > Subject: [EXT] Re: Re: Re: using refint overlay for pwdPolicySubentry > > On Tue, May 06, 2025 at 12:26:52PM +0000, Windl, Ulrich wrote: > > Hi! > > > > Oh well, > > the typical (data) administrator is using some frontend that just > > shows objects' attributes, and it may not be quite obvious which ones > > are "virtual": After all they (e.g. pwdPolicySubentry) are stored > > permanently in the database (and they are synced, fortunately). > > Hi, > if they are this likely to shoot themselves in the foot, it is prudent > of you as the system administrator to set up internal documentation > and/or access control so that they are not going to. > > I'm afraid that's the only advice I can give you, it is impossible for > the code to anticipate every eventuality. > > Regards, > > -- > Ondřej Kuzník > Senior Software Engineer > Symas Corporation http://www.symas.com > Packaged, certified, and supported LDAP solutions powered by OpenLDAP
