| Summary: | Possible to add non-existent user to member, seeAlso etc. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Ján Rusnačko <jrusnack> |
| Component: | 389-ds-base | Assignee: | Rich Megginson <rmeggins> |
| Status: | CLOSED WONTFIX | QA Contact: | Sankar Ramalingam <sramling> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.4 | CC: | jgalipea, nkinder |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-12-18 17:16:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
This is not the way that referential integrity was designed to work. Here is how it is explained in the Admin Guide: "By default, when the Referential Integrity Plug-in is enabled, it performs integrity updates on the member, uniquemember, owner, and seeAlso attributes immediately after a delete or rename operation." Note that ADD and MOD operations do not trigger referential integrity. Changing the default behavior would cause backwards compatibility issues. An enhancement to allow one to enable referential integrity checking for ADD and MOD operations could be developed, but I'd prefer to only go down that route if we have a customer business case for it. Closing as WONTFIX. |
Description of problem: In current RHEL 6.4 DS it is possible to add non-existent user to member attribute of group (same goes for seeAlso attribute and probably others). This happens even with referential integrity plugin enabled, which makes it difficult to keep referential integrity of DB intact. I would expect either non-existent user is denied always, or referential integrity plugin denying such additions to tracked attributes. Version-Release number of selected component (if applicable): 389-ds-base-1.2.11.15-29.el6.x86_64 How reproducible: always Steps to Reproduce: [jrusnack@dhcp-31-42 workspace]$ ldapmodify -D "cn=directory manager" -w Secret123 -a <<EOF dn: cn=referential integrity postoperation,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on EOF modifying entry "cn=referential integrity postoperation,cn=plugins,cn=config" [jrusnack@dhcp-31-42 workspace]$ sudo service dirsrv restart Shutting down dirsrv: dhcp-31-42... [ OK ] Starting dirsrv: dhcp-31-42... [ OK ] [jrusnack@dhcp-31-42 workspace]$ ldapmodify -D "cn=directory manager" -w Secret123 -a <<EOF dn: cn=testgroup,ou=groups,dc=example,dc=com objectclass: top objectclass: groupOfNames cn: testgroup member: uid=invalid EOF adding new entry "cn=testgroup,ou=groups,dc=example,dc=com" [jrusnack@dhcp-31-42 workspace]$ ldapsearch -LLL -D "cn=directory manager" -w Secret123 -b "cn=testgroup,ou=groups,dc=example,dc=com" dn: cn=testgroup,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfNames cn: testgroup member: uid=invalid [jrusnack@dhcp-31-42 workspace]$ ldapsearch -LLL -D "cn=directory manager" -w Secret123 -b "cn=referential integrity postoperation,cn=plugins,cn=config" dn: cn=referential integrity postoperation,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: referential integrity postoperation nsslapd-pluginPath: libreferint-plugin nsslapd-pluginInitfunc: referint_postop_init nsslapd-pluginType: postoperation nsslapd-pluginEnabled: on nsslapd-pluginprecedence: 40 nsslapd-pluginarg0: 0 nsslapd-pluginarg1: /var/log/dirsrv/slapd-dhcp-31-42/referint nsslapd-pluginarg2: 0 nsslapd-pluginarg3: member nsslapd-pluginarg4: uniquemember nsslapd-pluginarg5: owner nsslapd-pluginarg6: seeAlso nsslapd-plugin-depends-on-type: database nsslapd-pluginId: referint nsslapd-pluginVersion: 1.2.11.15 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: referential integrity plugin Actual result: Member attribute of cn=testgroup cotains invalid reference to uid=invalid, even with referential plugin enabled and member attribute checked by the plugin for referential integrity.