Michael Ströder wrote:
From a practical standpoint - behavior of the service when clients are making requests to a backend that gets removed is totally undefined.LDAP clients do not care about (OpenLDAP) database backends at all. They simply query a DIT.
Yes, but they expect to get consistent answers to their queries. You cannot make any assertions about consistency when the rug is pulled out from under a running query.
AFAICS the original poster wanted to replace back-shell with back-sock for the very same naming context. In theory this could be done with back-config - only requring a very small downtime - entry deletion in back-config would be possible.
It would require adding a suffix to one backend while removing it from another. Since this can't be done in a single LDAP request it would require wrapping both changes in a single LDAP Transaction.
Doing it non-atomically would invariably result in inexplicable client error messages as they send requests to an LDAP server that was "working fine before" but suddenly replies "no global superior knowledge".
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/