Hi,
I noticed uniqueness constraints enforced by the slapo-unique overlay can be bypassed when using the manage DSA IT control (ldapadd -M).
Using the following simple constraint:
overlay unique unique_uri ldap:///?mail?sub
I get:
$ ldapadd -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret dn: cn=test1,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test1 sn: test1 mail: test@my-domain.com
adding new entry "cn=test1,dc=my-domain,dc=com"
dn: cn=test2,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test2 sn: test2 mail: test@my-domain.com <===== duplicate, violates uniqueness constraint
adding new entry "cn=test2,dc=my-domain,dc=com" ldap_add: Constraint violation (19) additional info: some attributes not unique <===== ok, as expected
Retrying with -M
$ ldapadd -M -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret dn: cn=test2,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test2 sn: test2 mail: test@my-domain.com <===== duplicate, violates uniqueness constraint
adding new entry "cn=test2,dc=my-domain,dc=com" <===== but it is accepted?
$ ldapsearch -x -h localhost -b dc=my-domain,dc=com mail=test@my-domain.com # extended LDIF # # LDAPv3 # base <dc=my-domain,dc=com> with scope subtree # filter: mail=test@my-domain.com # requesting: ALL #
# test1, my-domain.com dn: cn=test1,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test1 sn: test1 mail: test@my-domain.com
# test2, my-domain.com dn: cn=test2,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test2 sn: test2 mail: test@my-domain.com
# search result search: 2 result: 0 Success
# numResponses: 3 # numEntries: 2
The uniqueness constraint has been violated when using -M, while it was correctly enforced without -M.
Feature or bug?
Geert