Bug 497439 - attribute uniqueness plugin: modrdn with deleteoldrdn=0 allows the entry to keep multiple attribute values even though the attribute uniqueness plugin is set agaist the attribute
attribute uniqueness plugin: modrdn with deleteoldrdn=0 allows the entry to k...
Status: CLOSED WORKSFORME
Product: 389
Classification: Community
Component: Server - Plugins (Show other bugs)
1.2.0
All Linux
high Severity medium
: ---
: ---
Assigned To: Noriko Hosoi
Chandrasekar Kannan
:
Depends On:
Blocks: 434915 389_1.3.0
  Show dependency treegraph
 
Reported: 2009-04-23 17:37 EDT by Noriko Hosoi
Modified: 2015-01-04 18:37 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-03 17:30:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Noriko Hosoi 2009-04-23 17:37:19 EDT
Description of problem:

I enabled the attribute uniqueness plugin.  Now, you cannot add another uid value.  It fails with "ldap_add: Already exists".  But you could do modrdn with delelteoldrdn=0, which allows the entry having multiple uid values even if the uniqueness plugin is on.  I think this is a bug of attribute uniqueness plugin, which most likely does not prevent the add from some internal operation.
Comment 1 Noriko Hosoi 2010-08-03 17:30:30 EDT
The report is based upon misunderstanding the attribute uniqueness plugin, which is supposed to enforce unique attribute values.

dn: cn=attribute uniqueness,cn=plugins,cn=config
nsslapd-pluginEnabled: on

Having these 2 entries in DB:
  dn: uid=nuuser0,ou=newOU,dc=example,dc=com
  uid: uuser0
  uid: uuser1
  uid: nuuser0
  givenName: new
  objectClass: top
  objectClass: person
  objectClass: organizationalPerson
  objectClass: inetorgperson
  sn: user0
  cn: uniq user0
 
  dn: uid=uuser2,ou=newOU,dc=example,dc=com
  uid: uuser2
  givenName: new
  objectClass: top
  objectClass: person
  objectClass: organizationalPerson
  objectClass: inetorgperson
  sn: user2
  cn: uniq user2

Modrdn the second entry to one of the UIDs in the first entry:
  dn: uid=uuser2,ou=newOU,dc=example,dc=com
  changetype: modrdn
  newrdn: uid=uuser0
  deleteoldrdn: 0
 
  modifying RDN of entry uid=uuser2,ou=newOU,dc=example,dc=com
  ldap_rename: Constraint violation
  ldap_rename: additional info: Another entry with the same attribute value already exists

Note You need to log in before you can comment on or make changes to this bug.