Hi,
I noticed uniqueness constraints enforced by the slapo-unique overlay can
be bypassed when using the manage DSA IT control (ldapadd -M).
Using the following simple constraint:
overlay unique
unique_uri ldap:///?mail?sub
I get:
$ ldapadd -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret
dn: cn=test1,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test1
sn: test1
mail: test(a)my-domain.com
adding new entry "cn=test1,dc=my-domain,dc=com"
dn: cn=test2,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test2
sn: test2
mail: test(a)my-domain.com <===== duplicate, violates uniqueness constraint
adding new entry "cn=test2,dc=my-domain,dc=com"
ldap_add: Constraint violation (19)
additional info: some attributes not unique <===== ok, as expected
Retrying with -M
$ ldapadd -M -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret
dn: cn=test2,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test2
sn: test2
mail: test(a)my-domain.com <===== duplicate, violates uniqueness constraint
adding new entry "cn=test2,dc=my-domain,dc=com" <===== but it is accepted?
$ ldapsearch -x -h localhost -b dc=my-domain,dc=com mail=test(a)my-domain.com
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope subtree
# filter: mail=test(a)my-domain.com
# requesting: ALL
#
# test1,
my-domain.com
dn: cn=test1,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test1
sn: test1
mail: test(a)my-domain.com
# test2,
my-domain.com
dn: cn=test2,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test2
sn: test2
mail: test(a)my-domain.com
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
The uniqueness constraint has been violated when using -M, while it was
correctly enforced without -M.
Feature or bug?
Geert
--
geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!