[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: User entries not deleted from uniqueMember attributes

To: "Mudry, Robert \(N-aerotek\)" <robert.mudry@lmco.com>
Subject: RE: User entries not deleted from uniqueMember attributes
From: "Howard Chu" <hyc@highlandsun.com>
Date: Thu, 28 Feb 2002 18:02:39 -0800
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <B66B0B4BF675D411BDCF00508BE32B1205B243D3@emss01m06.ems.lmco.com>

Yes, this is standard behavior for OpenLDAP; the server will not
fold/spindle/
mutilate values that were explicitly set by the user. The flip side of this
data integrity policy is that if you create something, you're responsible
for removing it if you want it removed.

When a server provides this kind of cleanup automatically, that's called
"referential integrity." There's no spec for this kind of behavior in any
standard, so it's always a crap-shoot to rely on it. As such, the name
"referential integrity" is a bit of an oxymoron; there really can be no
guarantees
of integrity in a referral-based distributed namespace. You can add a
transaction layer to try to provide this sort of feature, but to do so would
completely obliterate any notions of "Lightweight" protocol.

The LDAP protocol specifies that all of its modification-type operations
(add/delete/modify/moddn) are atomic. This is usually simple enough to
guarantee since you're only touching a single entry. (But even so, it can
involve a large number of steps inside the LDAP database.) There is no
allowance in the protocol for these single-entry atomic operations to have
side-effects. The crucial point is there is no way to notify you when
multiple side-effects are required but only some portion of them succeed.
And sadly, in the real world, the chance that some multi-object operation
will partially fail is about 100% on a moderately large system.

To sum up - the LDAP mod operations are based on an all-or-nothing premise.
The single operation either succeeds or fails, there are no in-between
states. To properly implement referential integrity requires a system to
recognize and accomodate the in-between states that necessarily arise in
complex/compound operations, and the modify operations in the LDAP protocol
simply don't allow that. I believe that any server that attempts to provide
this functionality within the context of these atomic operations is
seriously flawed, and anyone who relies on these flawed behaviors has some
serious heartbreak (or heartburn) awaiting them.

(As a final note, I feel compelled to point out that Symas' Connexitor
provides a referential integrity framework that *does* properly handle
partial success situations. One of the nice things you get when you design a
system with distribution in mind from the start...)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Mudry, Robert
> (N-aerotek)
> Sent: Thursday, February 28, 2002 3:54 PM
> To: 'openldap-software@OpenLDAP.org'
> Subject: User entries not deleted from uniqueMember attributes
>
>
> When deleting a user in OpenLDAP 2.0.21, that users's uniqueMember
> attributes are being left intact. Before I write extra code to
> delete them,
> before deleting the user, I would like to know if this is "standard
> behavior" for OpenLDAP. The Netscape Directory Server (NDS) automatically
> deletes users from uniqueMember attributes when the user was
> deleted--maybe
> I am just spoiled! ;-)
>
> -Robert

References:
- User entries not deleted from uniqueMember attributes
  - From: "Mudry, Robert (N-aerotek)" <robert.mudry@lmco.com>

Prev by Date: Re: Migration tools ( do they work on RH 2.0..21)
Next by Date: RE: User entries not deleted from uniqueMember attributes
Index(es):
- Chronological
- Thread