Problem making refint_nothing working - openldap-technical

17 Nov 2015


      Hi all,
I tried for some days to make refint overlay work with refint_nothing 
filled.
The slapo-refint man page says :
refint_nothing <string>
               Specify an arbitrary value to be used as a placeholder 
when the last value would otherwise be deleted from an attribute. This 
can be useful in cases where the schema requires the existence of an  
attribute  for  which
               referential integrity is enforced. The attempted deletion 
of a required attribute will otherwise result in an Object Class 
Violation, causing the request to fail.  The string must be a valid DN.
but each time I try to delete the last member from a groupOfNames group, 
the deletion is refused because of schema violation. That's ok without 
refint_nothing but with the string set it should replace last member, 
right ?
I tried to increase loglevel to 16383 but can't see any debug for refint 
overlay. So I'm not sure if refint is working or not. Is there another 
way to have some debug information from refint ?
I have included my configuration, ldap tree and log content below. For 
the logs, I have snipped the content to the error directly but can 
provide full log if required.
The tests are running on debian jessie 8.2 and slapd version 
2.4.40+dfsg-1.
And I know I can place the placeholder manually but doing it by hand 
each time is not what I want and, more important, I want to understand 
why the module is not worrking like it should.
I hope I have posted to the right list and if there is something missing 
please ask.
Thanks for help.
######### START CONF LDIF ########
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: a00e3106-20ce-1035-8943-a9586533ca5e
creatorsName: cn=config
createTimestamp: 20151116165546Z
olcLogLevel: 16383
entryCSN: 20151116173108.585343Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20151116173108Z
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}refint
olcModuleLoad: {2}memberof.la
structuralObjectClass: olcModuleList
entryUUID: a00edd9a-20ce-1035-894b-a9586533ca5e
creatorsName: cn=admin,cn=config
createTimestamp: 20151116165546Z
entryCSN: 20151116172537.271031Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20151116172537Z
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
structuralObjectClass: olcSchemaConfig
entryUUID: a00e5a96-20ce-1035-8946-a9586533ca5e
creatorsName: cn=admin,cn=config
createTimestamp: 20151116165546Z
entryCSN: 20151116165546.131180Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20151116165546Z
... schema listing skipped as they are not modified ...
dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}mdb
structuralObjectClass: olcBackendConfig
entryUUID: a00ef6cc-20ce-1035-894c-a9586533ca5e
creatorsName: cn=admin,cn=config
createTimestamp: 20151116165546Z
entryCSN: 20151116165546.135178Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20151116165546Z
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by 
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
  al,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500
structuralObjectClass: olcDatabaseConfig
entryUUID: a00e4ec0-20ce-1035-8944-a9586533ca5e
creatorsName: cn=config
createTimestamp: 20151116165546Z
entryCSN: 20151116165546.130875Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20151116165546Z
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by 
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
  al,cn=auth manage by * break
olcRootDN: cn=admin,cn=config
structuralObjectClass: olcDatabaseConfig
entryUUID: a00e5654-20ce-1035-8945-a9586533ca5e
creatorsName: cn=config
createTimestamp: 20151116165546Z
olcRootPW:: e1NTSEF9NkdpY3VMWFhTUGpBa1IzM3UzcnkxVm1qY2N2ZVZXNHY=
entryCSN: 20151116170655.978168Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20151116170655Z
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=nodomain
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by 
anonym
  ous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=nodomain
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: a00efa64-20ce-1035-894d-a9586533ca5e
creatorsName: cn=admin,cn=config
createTimestamp: 20151116165546Z
olcRootPW:: e1NTSEF9SlExdmxnN1E0a0hNTTZtanZzdEtIcHBSYjBmNHJyaGI=
entryCSN: 20151116170852.768823Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20151116170852Z
dn: olcOverlay={0}refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {0}refint
structuralObjectClass: olcRefintConfig
entryUUID: cd95de54-20d2-1035-86bf-517b01ed1806
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20151116172540Z
olcRefintNothing: uid=myuser2,ou=users,dc=nodomain
olcRefintAttribute: member
entryCSN: 20151116174304.336010Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20151116174304Z
######### END CONF LDIF ########
######### START DB LDIF ########
dn: dc=nodomain
objectClass: top
objectClass: dcObject
objectClass: organization
o: nodomain
dc: nodomain
structuralObjectClass: organization
entryUUID: a01fd816-20ce-1035-8deb-e11fbfc8d840
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20151116165546Z
entryCSN: 20151116165546.245753Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20151116165546Z
dn: cn=admin,dc=nodomain
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9Z2doUHZPQVo2dnV5NzVSY1dFLzhhUFNGQjVZY1FXRHY=
structuralObjectClass: organizationalRole
entryUUID: a02629b4-20ce-1035-8dec-e11fbfc8d840
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20151116165546Z
entryCSN: 20151116165546.287209Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20151116165546Z
dn: ou=groups,dc=nodomain
objectClass: organizationalUnit
objectClass: top
ou: groups
structuralObjectClass: organizationalUnit
entryUUID: 25ff55cc-20d1-1035-86b9-517b01ed1806
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20151116171349Z
entryCSN: 20151116171349.840889Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20151116171349Z
dn: ou=users,dc=nodomain
objectClass: organizationalUnit
objectClass: top
ou: users
structuralObjectClass: organizationalUnit
entryUUID: 351d4e6a-20d1-1035-86ba-517b01ed1806
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20151116171415Z
entryCSN: 20151116171415.203147Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20151116171415Z
dn: uid=myuser1,ou=users,dc=nodomain
cn: myuser1
objectClass: inetOrgPerson
objectClass: top
sn: myuser1
uid: myuser1
structuralObjectClass: inetOrgPerson
entryUUID: bba534d4-20d1-1035-86bb-517b01ed1806
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20151116171800Z
entryCSN: 20151116171800.908475Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20151116171800Z
dn: uid=myuser2,ou=users,dc=nodomain
cn: myuser2
objectClass: inetOrgPerson
objectClass: top
sn: myuser2
uid: myuser2
structuralObjectClass: inetOrgPerson
entryUUID: d175bac2-20d1-1035-86bc-517b01ed1806
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20151116171837Z
entryCSN: 20151116171837.507205Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20151116171837Z
dn: cn=mygroup1,ou=groups,dc=nodomain
cn: mygroup1
member: uid=myuser1,ou=users,dc=nodomain
objectClass: groupOfNames
objectClass: top
structuralObjectClass: groupOfNames
entryUUID: f9657978-20d1-1035-86bd-517b01ed1806
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20151116171944Z
entryCSN: 20151116171944.509541Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20151116171944Z
######### END DB LDIF ########
######### START LOG ########
...
Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: read active on 13
Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: epoll: listen=9 
active_threads=0 tvp=zero
Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: epoll: listen=10 
active_threads=0 tvp=zero
Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: epoll: listen=11 
active_threads=0 tvp=zero
Nov 16 18:43:31 vm-rt1 slapd[15110]: connection_get(13)
Nov 16 18:43:31 vm-rt1 slapd[15110]: connection_get(13): got connid=1154
Nov 16 18:43:31 vm-rt1 slapd[15110]: connection_read(13): checking for 
input on id=1154
Nov 16 18:43:31 vm-rt1 slapd[15110]: op tag 0x66, time 1447695811
Nov 16 18:43:31 vm-rt1 slapd[15110]: conn=1154 op=4 do_modify
Nov 16 18:43:31 vm-rt1 slapd[15110]: conn=1154 op=4 do_modify: dn 
(cn=mygroup1,ou=groups,dc=nodomain)
Nov 16 18:43:31 vm-rt1 slapd[15110]: >>> dnPrettyNormal: 
<cn=mygroup1,ou=groups,dc=nodomain>
Nov 16 18:43:31 vm-rt1 slapd[15110]: <<< dnPrettyNormal: 
<cn=mygroup1,ou=groups,dc=nodomain>, <cn=mygroup1,ou=groups,dc=nodomain>
Nov 16 18:43:31 vm-rt1 slapd[15110]: conn=1154 op=4 modifications:
Nov 16 18:43:31 vm-rt1 slapd[15110]: #011replace: member
Nov 16 18:43:31 vm-rt1 slapd[15110]: #011#011no values
Nov 16 18:43:31 vm-rt1 slapd[15110]: conn=1154 op=4 MOD 
dn="cn=mygroup1,ou=groups,dc=nodomain"
Nov 16 18:43:31 vm-rt1 slapd[15110]: conn=1154 op=4 MOD attr=member
Nov 16 18:43:31 vm-rt1 slapd[15110]: mdb_modify: 
cn=mygroup1,ou=groups,dc=nodomain
Nov 16 18:43:31 vm-rt1 slapd[15110]: 
mdb_dn2entry("cn=mygroup1,ou=groups,dc=nodomain")
Nov 16 18:43:31 vm-rt1 slapd[15110]: => 
mdb_dn2id("cn=mygroup1,ou=groups,dc=nodomain")
Nov 16 18:43:31 vm-rt1 slapd[15110]: <= mdb_dn2id: got id=0x7
Nov 16 18:43:31 vm-rt1 slapd[15110]: => mdb_entry_decode:
Nov 16 18:43:31 vm-rt1 slapd[15110]: <= mdb_entry_decode
Nov 16 18:43:31 vm-rt1 slapd[15110]: mdb_modify_internal: 0x00000007: 
cn=mygroup1,ou=groups,dc=nodomain
Nov 16 18:43:31 vm-rt1 slapd[15110]: <= acl_access_allowed: granted to 
database root
Nov 16 18:43:31 vm-rt1 slapd[15110]: mdb_modify_internal: replace member
Nov 16 18:43:31 vm-rt1 slapd[15110]: mdb_modify_internal: replace 
entryCSN
Nov 16 18:43:31 vm-rt1 slapd[15110]: mdb_modify_internal: replace 
modifiersName
Nov 16 18:43:31 vm-rt1 slapd[15110]: mdb_modify_internal: replace 
modifyTimestamp
Nov 16 18:43:31 vm-rt1 slapd[15110]: oc_check_required entry 
(cn=mygroup1,ou=groups,dc=nodomain), objectClass "groupOfNames"
Nov 16 18:43:31 vm-rt1 slapd[15110]: Entry 
(cn=mygroup1,ou=groups,dc=nodomain): object class 'groupOfNames' 
requires attribute 'member'
Nov 16 18:43:31 vm-rt1 slapd[15110]: entry failed schema check: object 
class 'groupOfNames' requires attribute 'member'
Nov 16 18:43:31 vm-rt1 slapd[15110]: mdb_modify: modify failed (65)
Nov 16 18:43:31 vm-rt1 slapd[15110]: send_ldap_result: conn=1154 op=4 
p=3
Nov 16 18:43:31 vm-rt1 slapd[15110]: send_ldap_result: err=65 matched="" 
text="object class 'groupOfNames' requires attribute 'member'"
Nov 16 18:43:31 vm-rt1 slapd[15110]: send_ldap_response: msgid=5 tag=103 
err=65
Nov 16 18:43:31 vm-rt1 slapd[15110]: conn=1154 op=4 RESULT tag=103 
err=65 text=object class 'groupOfNames' requires attribute 'member'
Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: activity on 1 descriptor
Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: activity on:
Nov 16 18:43:31 vm-rt1 slapd[15110]:
Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: epoll: listen=9 
active_threads=0 tvp=zero
Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: epoll: listen=10 
active_threads=0 tvp=zero
Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: epoll: listen=11 
active_threads=0 tvp=zero
Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: activity on 1 descriptor
Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: activity on:
######### END LOG ########