>> >> I still think allowing entryuuid to diverge from
nsuniqueid is the right call. It opens more scenarioes up to us for migration.
> >
> > Just fyi, when replicating from 389DS to OpenLDAP, we directly map nsUniqueId to
entryUuid. They're
> > both UUIDs and both serve the same purpose on their respective servers, so why
is there
> > any reason to allow proliferation of other IDs?
Ahh I believe that you may be referring to the sundsee syncrepl consumer mode from your
2.5 or git master perhaps? Sadly, this is not the target of my work - if it was, life
would be much easier, and this would not be a problem. In this case, we have a customer
who wants to create read-only openldap consumers which are able to get data from 389-ds,
but they are on version 2.4.41 of openldap which does not appear to perform this mapping
from my reading of the code (but i've had some mistakes reading code lately, so
perhaps I'm wrong).
Yes, the consumer code is only in 2.5, not 2.4. But the mapping is trivial; the nsUniqueId
format
has the same number of digits as the entryUuid format and only differs by having one less
hyphen.
So it's quite simple to write an overlay or plugin to convert from one to the other.
e.g.
https://git.openldap.org/openldap/openldap/-/blob/master/servers/slapd/sy...
Their goal is to move from openldap to 389-ds due to support reasons.
So this means entryuuid which has been a stable ID for a long time in their fleet is
something we need to support - and many external applications do read entryuuid as a
primary key to identify objects in the directory, despite the fact it should be an
internal replication-only element IMO (vmware and nextcloud come to mind immediately).
nsuniqueid (annoyingly) is not the same format as entryuuid, so we can't just ask them
to change to reading nsunique (even if the bytes were the same). Every day we get to live
with the decisions of the past, and we have the joy of working through and around them.
So I think as much as your suggestion is probably correct technically, it doesn't
apply in this situation.
I am considering that the "solution" in this case though, is that when we see
an entryuuid on an import/add, we derive nsuniqueid from that, so that entryuuid /
nsunique are equivalents in the respective directories, and we can then re-synthesise the
entryuuid from nsunique on the syncrepl. We still need to store entryuuid however, because
client applications will be expecting it to remain consistent and present during an
openldap to 389 migration.
Why wouldn't you just generate entryUuid from nsUniqueId on the fly, as a virtual
attribute, when requested in
a search/compare? And yes, derive nsUniqueId from entryUuid on an Add.
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/