Bug 723520 - Overlay unique ignore parameter doesn't funcion
Summary: Overlay unique ignore parameter doesn't funcion
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap
Version: 6.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Jan Vcelak
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-20 12:33 UTC by David Spurek
Modified: 2015-03-02 05:26 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-11 16:05:29 UTC
Target Upstream Version:

Attachments (Terms of Use)
Slapd configuration file (1.55 KB, application/octet-stream)
2011-07-20 12:33 UTC, David Spurek 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Spurek 2011-07-20 12:33:21 UTC 
Created attachment 514000 [details]
Slapd configuration file

Description of problem:
Overlay unique ignore parameter doesn't funcion (same funcionality as unique parameter missing in configuration)

Version-Release number of selected component (if applicable):
openldap-servers-2.4.23-15.el6

How reproducible:
always

Steps to Reproduce:
1.slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
(slapd.conf is in attachement)
2.add entry
dn: cn=usr2, dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: usr2
sn: usr2
mail: usr2
uid: usr2

dn: cn=usr1,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: usr1
sn: usr1
mail: usr2
uid: usr1
  
Actual results:
adding new entry "cn=usr2,dc=my-domain,dc=com"
adding new entry "cn=usr1,dc=my-domain,dc=com"
ldap_add: Constraint violation (19)
	additional info: some attributes not unique

Expected results:
Add operation should pass
Comment 1 Jan Vcelak 2011-08-11 16:05:29 UTC 
I believe this is not a bug, but just a misunderstanding of the documentation.

olcUniqueURI: ldap:///dc=my-domain,dc=com?mail?sub?
olcUniqueURI: ignore ldap:///cn=usr1,dc=my-domain,dc=com?mail?sub?

The documentation says, that the attributes are checked when add, modify, and modrdn operations are performed. When some matching entry is found, the operation is rejected. And the rules are evaluated sequentially. I understand from this statement, that the rules are evaluated sequentially.

And 'ignore' works different than you expect. Documentation says, that by specifying this prefix, uniqueness of all non-operational attributes is enforced, except those listed.

In fact, the second entry you are trying to add (cn=usr1,dc=my-domain,dc=com) would be rejected by both of the rules. The first one because of non-uniqueness of mail attribute, the second one because of non-uniqueness of objectClass.

I suppose you wanted something like (simplified):
olcUniqueURI: ldap:///?mail?sub?(!(cn=usr1))

Closing this bug as NOTABUG.
Note You need to log in before you can comment on or make changes to this bug.