On ti, 20 heinä 2021, Joseph Fry via FreeIPA-users wrote:
Thanks Rob, I figured that would be the answer.
That said, do you think it is worth filing a bug report / feature
request. I see no reason to do schema validation on the objects
created by the compatibility plugin.
- Adds unnecessary load on the server (checks the schema twice for
every object updated/added)
- Defeats the purpose of the compatibility plugin (part of the purpose
of the plugin is to eliminate the need for schema changes)
- Seems redundant (objects are populated by data from schema compliant
objects, so by extension the schema on the compat objects is valid)
Of course this may be easier said then done.
Regardless what compatibility plugin represents, the resulting entries
are processed by 389-ds LDAP server core. They have to follow the logic
and rules defined in 389-ds.
As Rob said, defining an object class for 'computer' is the only option.
There is another one, of course, to relax schema checks in the whole
389-ds, but it would mean eventually breaking the consistency of this
deployment as other schema violations would not be detected.
Filing a feature request to 389-ds will not help. They have spent
several years going into the opposite direction and enforcing the schema
everywhere.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland