Hi,
I noticed uniqueness constraints enforced by the slapo-unique overlay can be bypassed when using the manage DSA IT control (ldapadd -M).
Using the following simple constraint:
overlay unique unique_uri ldap:///?mail?sub
I get:
$ ldapadd -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret dn: cn=test1,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test1 sn: test1 mail: test@my-domain.com
adding new entry "cn=test1,dc=my-domain,dc=com"
dn: cn=test2,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test2 sn: test2 mail: test@my-domain.com <===== duplicate, violates uniqueness constraint
adding new entry "cn=test2,dc=my-domain,dc=com" ldap_add: Constraint violation (19) additional info: some attributes not unique <===== ok, as expected
Retrying with -M
$ ldapadd -M -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret dn: cn=test2,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test2 sn: test2 mail: test@my-domain.com <===== duplicate, violates uniqueness constraint
adding new entry "cn=test2,dc=my-domain,dc=com" <===== but it is accepted?
$ ldapsearch -x -h localhost -b dc=my-domain,dc=com mail=test@my-domain.com # extended LDIF # # LDAPv3 # base <dc=my-domain,dc=com> with scope subtree # filter: mail=test@my-domain.com # requesting: ALL #
# test1, my-domain.com dn: cn=test1,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test1 sn: test1 mail: test@my-domain.com
# test2, my-domain.com dn: cn=test2,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test2 sn: test2 mail: test@my-domain.com
# search result search: 2 result: 0 Success
# numResponses: 3 # numEntries: 2
The uniqueness constraint has been violated when using -M, while it was correctly enforced without -M.
Feature or bug?
Geert
Geert Hendrickx wrote:
Hi,
I noticed uniqueness constraints enforced by the slapo-unique overlay can be bypassed when using the manage DSA IT control (ldapadd -M).
The uniqueness constraint has been violated when using -M, while it was correctly enforced without -M.
Feature or bug?
RTFM, this is already explicitly documented in the slapo-unique(5) manpage.
On Tue, Aug 25, 2015 at 13:46:09 +0100, Howard Chu wrote:
Geert Hendrickx wrote:
Hi,
I noticed uniqueness constraints enforced by the slapo-unique overlay can be bypassed when using the manage DSA IT control (ldapadd -M).
The uniqueness constraint has been violated when using -M, while it was correctly enforced without -M.
Feature or bug?
RTFM, this is already explicitly documented in the slapo-unique(5) manpage.
Thanks, I overlooked that. I'm not managing the LDAP client here, I'll have to talk to the devs why they are using the ManageDsaIt control.
Geert
On Tue, Aug 25, 2015 at 15:12:22 +0200, Geert Hendrickx wrote:
On Tue, Aug 25, 2015 at 13:46:09 +0100, Howard Chu wrote:
Geert Hendrickx wrote:
Hi,
I noticed uniqueness constraints enforced by the slapo-unique overlay can be bypassed when using the manage DSA IT control (ldapadd -M).
The uniqueness constraint has been violated when using -M, while it was correctly enforced without -M.
Feature or bug?
RTFM, this is already explicitly documented in the slapo-unique(5) manpage.
Thanks, I overlooked that. I'm not managing the LDAP client here, I'll have to talk to the devs why they are using the ManageDsaIt control.
It's still not clear for me what is the link between the Manage DSA IT control and uniqueness constraint. From RFC 3296 defining the control:
A control, ManageDsaIT, is defined to allow manipulation of referral and other special objects as normal objects. As the name of control implies, it is intended to be analogous to the ManageDsaIT service option described in X.511(97) [X.511].
[...]
In the presence of a ManageDsaIT control, referral objects are treated as normal entries as described in section 3. Note that the ref attribute is operational and will only be returned in a search entry response when requested.
In the absence of a ManageDsaIT control, the content of referral objects are used to construct referrals and search references as described in Section 4 and, as such, the referral entries are not themselves visible to clients.
Why must it bypass the uniqueness constraints on the server?
Geert
Geert Hendrickx wrote:
On Tue, Aug 25, 2015 at 15:12:22 +0200, Geert Hendrickx wrote:
On Tue, Aug 25, 2015 at 13:46:09 +0100, Howard Chu wrote:
Geert Hendrickx wrote:
Hi,
I noticed uniqueness constraints enforced by the slapo-unique overlay can be bypassed when using the manage DSA IT control (ldapadd -M).
The uniqueness constraint has been violated when using -M, while it was correctly enforced without -M.
Feature or bug?
RTFM, this is already explicitly documented in the slapo-unique(5) manpage.
Thanks, I overlooked that. I'm not managing the LDAP client here, I'll have to talk to the devs why they are using the ManageDsaIt control.
It's still not clear for me what is the link between the Manage DSA IT control and uniqueness constraint. From RFC 3296 defining the control: [..]
IIRC Pierangelo used the Manage DSA IT control for that use-case because the Relax Rules control wasn't defined at that time. Yes, I also consider this to be a flaw because JNDI sends along Manage DSA IT control by default.
Ciao, Michael.
On Wed, Sep 02, 2015 at 13:08:16 +0200, Michael Ströder wrote:
Geert Hendrickx wrote:
It's still not clear for me what is the link between the Manage DSA IT control and uniqueness constraint. From RFC 3296 defining the control: [..]
IIRC Pierangelo used the Manage DSA IT control for that use-case because the Relax Rules control wasn't defined at that time. Yes, I also consider this to be a flaw because JNDI sends along Manage DSA IT control by default.
Hi,
I'm not familiar with the inner details, but could it be that there has been confusion between "Manage DSA IT" control (RFC 3296) and "ManageDIT" control which has been obsoleted/replaced by the Relax Rules control?
Geert
On Wed, Sep 02, 2015 at 14:15:18 +0200, Geert Hendrickx wrote:
On Wed, Sep 02, 2015 at 13:08:16 +0200, Michael Ströder wrote:
Geert Hendrickx wrote:
It's still not clear for me what is the link between the Manage DSA IT control and uniqueness constraint. From RFC 3296 defining the control: [..]
IIRC Pierangelo used the Manage DSA IT control for that use-case because the Relax Rules control wasn't defined at that time. Yes, I also consider this to be a flaw because JNDI sends along Manage DSA IT control by default.
Hi,
I'm not familiar with the inner details, but could it be that there has been confusion between "Manage DSA IT" control (RFC 3296) and "ManageDIT" control which has been obsoleted/replaced by the Relax Rules control?
This documentation ITS seems to confirm the (deliberate?) confusion between the ManageDsaIt and ManageDIT/Relax controls as well:
http://www.openldap.org/its/index.cgi/Documentation?id=7795
I vaguely remember that before the birth of draft-zeilenga-ldap-relax some (overlays?) misused the Manage DSA IT control for that purpose.
"manageDIT" was renamed to "relax" because it was too similar to "manageDSAit". Besides, although its use is intrinsically related to performing administrative operations, it is specifically meant to work around rules that make sense from a data model point of view but may need to be circumvented *during* "special" operations.
To implement a bypass of uniquness constraints, the relax control seems much more appropriate than ManageDsaIt.
The attached patch works for me. Should I file an ITS for slapo-unique?
Geert
openldap-technical@openldap.org
-
Geert Hendrickx -
Howard Chu -
Michael Ströder