Red Hat Bugzilla – Bug 1271054
RFE: LDAP command verification
Last modified: 2016-12-04 21:44:33 EST
Description of problem:
1. Proposed title of this feature request
Checking command parameters are correct before committing changes in to the LDAP database
2. Who is the customer behind the request?
Account: Fonterra Co-Operative Group
TAM customer: NO
SRM customer: YES
3. What is the nature and description of the request?
Customer is requesting that a sanity check will be performed before committing changes in the database. For example the customer commits a typo in the update command below:
ldapmodify -D "cn=Directory Manager" -w ******** <<EOF
The system should be able to detect the mistake on the command and show the an error/suggestion to the user such as below:
This one is incorrect "nsroledn: cn=sapCorpRole,dc=zeus,dc=ghsewn,dc=com"
This role is correct "nsroledn: cn=sapANZRole,ou=people,dc=zeus,dc=ghsewn,dc=com"
The customer suggested that the following parameters be checked:
- does role exist
- does policy exist
- group exist
4. Why does the customer need this? (List the business requirements here)
A typo in the command makes host/s unusable especially if you are using a script to run the command on multiple servers
5. How would the customer like to achieve this? (List the functional requirements here)
The customer wants a script that will check the syntax of the ldap command before it makes any changes in the database.
6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
The customer can test this functionality in their test environment.
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
I don't think there is one already.
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
9. Is the sales team involved in this request and do they have any additional input?
10. List any affected packages or components.
11. Would the customer be able to assist in testing this functionality if implemented?
Instead of an argument checker, what if there were a way to do a "dry-run" of the ldapmodify command, that would show you what the command would do? Would that satisfy the customer's requirement?
Not sure if this is relevant but the customer is running their Directory server on RHEL 6.6.
(In reply to Rich Megginson from comment #1)
> Instead of an argument checker, what if there were a way to do a "dry-run"
> of the ldapmodify command, that would show you what the command would do?
> Would that satisfy the customer's requirement?
Reply from Customer:
if the dry-run was to say:
warning: attribute /policy / role doesnt exist
This functionality would really require a new LDAP standard, as LDAP clients (like ldapmodify) would need the ability to ask the server to perform a dry-run option via a control or extended operation. This would be a very time consuming process to go through, and it's unclear that a new standard would be accepted. In addition, the change would be very complex to implement on the server side. Unless there is a really stong request to do this, I do not believe it is worth the investment. Closing as WONTFIX.