[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: User entries not deleted from uniqueMember attributes



Thank you for your thorough explanation of referential integrity. I was just
concerned that this was broken behavior, and I didn't want to write a bunch
of superfluous code.

But it does lead me to another question. That is, if I wanted to ignore your
advice and attempt to roll that functionality into the server, does OpenLDAP
provide a plug-in environment that I can use to do this. In other words,
intercept the delete call and zap the uniqueMember entries first? The
documentation suggests that such a facility exists, but the details are not
documented anywhere.

-Robert

> -----Original Message-----
> From:	Howard Chu [SMTP:hyc@highlandsun.com]
> Sent:	Thursday, February 28, 2002 6:03 PM
> To:	Mudry, Robert (N-aerotek)
> Cc:	openldap-software@OpenLDAP.org
> Subject:	RE: User entries not deleted from uniqueMember attributes
> 
> Yes, this is standard behavior for OpenLDAP; the server will not
> fold/spindle/
> mutilate values that were explicitly set by the user. The flip side of
> this
> data integrity policy is that if you create something, you're responsible
> for removing it if you want it removed.
> 
> When a server provides this kind of cleanup automatically, that's called
> "referential integrity." There's no spec for this kind of behavior in any
> standard, so it's always a crap-shoot to rely on it. As such, the name
> "referential integrity" is a bit of an oxymoron; there really can be no
> guarantees
> of integrity in a referral-based distributed namespace. You can add a
> transaction layer to try to provide this sort of feature, but to do so
> would
> completely obliterate any notions of "Lightweight" protocol.
> 
> The LDAP protocol specifies that all of its modification-type operations
> (add/delete/modify/moddn) are atomic. This is usually simple enough to
> guarantee since you're only touching a single entry. (But even so, it can
> involve a large number of steps inside the LDAP database.) There is no
> allowance in the protocol for these single-entry atomic operations to have
> side-effects. The crucial point is there is no way to notify you when
> multiple side-effects are required but only some portion of them succeed.
> And sadly, in the real world, the chance that some multi-object operation
> will partially fail is about 100% on a moderately large system.
> 
> To sum up - the LDAP mod operations are based on an all-or-nothing
> premise.
> The single operation either succeeds or fails, there are no in-between
> states. To properly implement referential integrity requires a system to
> recognize and accomodate the in-between states that necessarily arise in
> complex/compound operations, and the modify operations in the LDAP
> protocol
> simply don't allow that. I believe that any server that attempts to
> provide
> this functionality within the context of these atomic operations is
> seriously flawed, and anyone who relies on these flawed behaviors has some
> serious heartbreak (or heartburn) awaiting them.
> 
> (As a final note, I feel compelled to point out that Symas' Connexitor
> provides a referential integrity framework that *does* properly handle
> partial success situations. One of the nice things you get when you design
> a
> system with distribution in mind from the start...)
> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
> 
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Mudry, Robert
> > (N-aerotek)
> > Sent: Thursday, February 28, 2002 3:54 PM
> > To: 'openldap-software@OpenLDAP.org'
> > Subject: User entries not deleted from uniqueMember attributes
> >
> >
> > When deleting a user in OpenLDAP 2.0.21, that users's uniqueMember
> > attributes are being left intact. Before I write extra code to
> > delete them,
> > before deleting the user, I would like to know if this is "standard
> > behavior" for OpenLDAP. The Netscape Directory Server (NDS)
> automatically
> > deletes users from uniqueMember attributes when the user was
> > deleted--maybe
> > I am just spoiled! ;-)
> >
> > -Robert