6:25 a.m.
Hi,
I noticed uniqueness constraints enforced by the slapo-unique overlay can
be bypassed when using the manage DSA IT control (ldapadd -M).
Using the following simple constraint:
overlay unique
unique_uri ldap:///?mail?sub
I get:
$ ldapadd -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret
dn: cn=test1,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test1
sn: test1
mail: test(a)my-domain.com
adding new entry "cn=test1,dc=my-domain,dc=com"
dn: cn=test2,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test2
sn: test2
mail: test(a)my-domain.com <===== duplicate, violates uniqueness constraint
adding new entry "cn=test2,dc=my-domain,dc=com"
ldap_add: Constraint violation (19)
additional info: some attributes not unique <===== ok, as expected
Retrying with -M
$ ldapadd -M -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret
dn: cn=test2,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test2
sn: test2
mail: test(a)my-domain.com <===== duplicate, violates uniqueness constraint
adding new entry "cn=test2,dc=my-domain,dc=com" <===== but it is accepted?
$ ldapsearch -x -h localhost -b dc=my-domain,dc=com mail=test(a)my-domain.com
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope subtree
# filter: mail=test(a)my-domain.com
# requesting: ALL
#
# test1, my-domain.com
dn: cn=test1,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test1
sn: test1
mail: test(a)my-domain.com
# test2, my-domain.com
dn: cn=test2,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test2
sn: test2
mail: test(a)my-domain.com
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
The uniqueness constraint has been violated when using -M, while it was
correctly enforced without -M.
Feature or bug?
Geert
--
geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!
5:46 a.m.
Geert Hendrickx wrote:
Hi,
I noticed uniqueness constraints enforced by the slapo-unique overlay can
be bypassed when using the manage DSA IT control (ldapadd -M).
The uniqueness constraint has been violated when using -M, while it
was
correctly enforced without -M.
Feature or bug?
RTFM, this is already explicitly documented in the slapo-unique(5) manpage.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6:12 a.m.
On Tue, Aug 25, 2015 at 13:46:09 +0100, Howard Chu wrote:
Geert Hendrickx wrote:
>Hi,
>
>I noticed uniqueness constraints enforced by the slapo-unique overlay can
>be bypassed when using the manage DSA IT control (ldapadd -M).
>The uniqueness constraint has been violated when using -M, while it was
>correctly enforced without -M.
>
>Feature or bug?
RTFM, this is already explicitly documented in the slapo-unique(5) manpage.
Thanks, I overlooked that. I'm not managing the LDAP client here, I'll
have to talk to the devs why they are using the ManageDsaIt control.
Geert
--
geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!
7:07 a.m.
On Tue, Aug 25, 2015 at 15:12:22 +0200, Geert Hendrickx wrote:
On Tue, Aug 25, 2015 at 13:46:09 +0100, Howard Chu wrote:
> Geert Hendrickx wrote:
> >Hi,
> >
> >I noticed uniqueness constraints enforced by the slapo-unique overlay can
> >be bypassed when using the manage DSA IT control (ldapadd -M).
>
> >The uniqueness constraint has been violated when using -M, while it was
> >correctly enforced without -M.
> >
> >Feature or bug?
>
> RTFM, this is already explicitly documented in the slapo-unique(5) manpage.
>
Thanks, I overlooked that. I'm not managing the LDAP client here, I'll
have to talk to the devs why they are using the ManageDsaIt control.
It's still not clear for me what is the link between the Manage DSA IT
control and uniqueness constraint. From RFC 3296 defining the control:
A control, ManageDsaIT, is defined to allow manipulation of referral
and other special objects as normal objects. As the name of control
implies, it is intended to be analogous to the ManageDsaIT service
option described in X.511(97) [X.511].
[...]
In the presence of a ManageDsaIT control, referral objects are
treated as normal entries as described in section 3. Note that the
ref attribute is operational and will only be returned in a search
entry response when requested.
In the absence of a ManageDsaIT control, the content of referral
objects are used to construct referrals and search references as
described in Section 4 and, as such, the referral entries are not
themselves visible to clients.
Why must it bypass the uniqueness constraints on the server?
Geert
--
geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!
4:08 a.m.
Geert Hendrickx wrote:
On Tue, Aug 25, 2015 at 15:12:22 +0200, Geert Hendrickx wrote:
> On Tue, Aug 25, 2015 at 13:46:09 +0100, Howard Chu wrote:
>> Geert Hendrickx wrote:
>>> Hi,
>>>
>>> I noticed uniqueness constraints enforced by the slapo-unique overlay can
>>> be bypassed when using the manage DSA IT control (ldapadd -M).
>>
>>> The uniqueness constraint has been violated when using -M, while it was
>>> correctly enforced without -M.
>>>
>>> Feature or bug?
>>
>> RTFM, this is already explicitly documented in the slapo-unique(5) manpage.
>
> Thanks, I overlooked that. I'm not managing the LDAP client here, I'll
> have to talk to the devs why they are using the ManageDsaIt control.
It's still not clear for me what is the link between the Manage DSA IT
control and uniqueness constraint. From RFC 3296 defining the control:
[..]
IIRC Pierangelo used the Manage DSA IT control for that use-case because the
Relax Rules control wasn't defined at that time. Yes, I also consider this to
be a flaw because JNDI sends along Manage DSA IT control by default.
Ciao, Michael.
5:15 a.m.
On Wed, Sep 02, 2015 at 13:08:16 +0200, Michael Ströder wrote:
Geert Hendrickx wrote:
> It's still not clear for me what is the link between the Manage DSA IT
> control and uniqueness constraint. From RFC 3296 defining the control:
> [..]
IIRC Pierangelo used the Manage DSA IT control for that use-case because
the Relax Rules control wasn't defined at that time. Yes, I also consider
this to be a flaw because JNDI sends along Manage DSA IT control by
default.
Hi,
I'm not familiar with the inner details, but could it be that there has
been confusion between "Manage DSA IT" control (RFC 3296) and
"ManageDIT"
control which has been obsoleted/replaced by the Relax Rules control?
Geert
--
geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!
1:25 p.m.
On Wed, Sep 02, 2015 at 14:15:18 +0200, Geert Hendrickx wrote:
On Wed, Sep 02, 2015 at 13:08:16 +0200, Michael Ströder wrote:
> Geert Hendrickx wrote:
> > It's still not clear for me what is the link between the Manage DSA IT
> > control and uniqueness constraint. From RFC 3296 defining the control:
> > [..]
>
> IIRC Pierangelo used the Manage DSA IT control for that use-case because
> the Relax Rules control wasn't defined at that time. Yes, I also consider
> this to be a flaw because JNDI sends along Manage DSA IT control by
> default.
>
Hi,
I'm not familiar with the inner details, but could it be that there has
been confusion between "Manage DSA IT" control (RFC 3296) and
"ManageDIT"
control which has been obsoleted/replaced by the Relax Rules control?
This documentation ITS seems to confirm the (deliberate?) confusion between
the ManageDsaIt and ManageDIT/Relax controls as well:
http://www.openldap.org/its/index.cgi/Documentation?id=7795
I vaguely remember that before the birth of
draft-zeilenga-ldap-relax
some (overlays?) misused the Manage DSA IT control for that purpose.
"manageDIT" was renamed to "relax" because it was
too similar to
"manageDSAit". Besides, although its use is intrinsically related to
performing administrative operations, it is specifically meant to work
around rules that make sense from a data model point of view but may
need to be circumvented *during* "special" operations.
To implement a bypass of uniquness constraints, the relax control seems
much more appropriate than ManageDsaIt.
The attached patch works for me. Should I file an ITS for slapo-unique?
Geert
--
geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!
2949
days inactive
2963
days old
openldap-technical@openldap.org
6 comments
3 participants
participants (3)
-
Geert Hendrickx -
Howard Chu -
Michael Ströder