[Date Prev][Date Next]
Re: (ITS#4442) slapo-refint does not prohibit deletion of entry
> On Fri, 2006-03-17 at 10:03 +0000, firstname.lastname@example.org wrote:
>> I'm using slapo-refint *without* configuration directive refint_nothing.
>> Although I'm deleting an entry whose DN is an attribute value of a MUST
>> attribute in another entry and both the error code and the log messages indicate
>> that this is not allowed the entry is deleted.
> Actually, slapo-refint is not supposed to prevent those deletes, it
> simply logs that they break referential integrity. To prevent those
> operations would require heavy reworking of the overlay and break the
> model it relies on - that is: do the modifications requested by the
> user; then do the best that it can to take care of referential
> integrity, or note when it cannot be preserved.
> In any case, since operations can occur any time, and the writes
> involved in referential integrity enforcing are not transactional,
> nothing prevents it from being broken by concurrent operations that
> create references to an object while it's being deleted, so the overlay
> wouldn't be able to guarantee it anyway...
> I'd rather see your ITS as a feature request for reworking the overlay
> in order to be more strict in trying to enforce referential integrity,
> yet with no guarantee (at least until transactions are implemented).
I think the "bug" here is that the server should not send an error
response back to the client, since the main request already succeeded.
The question is whether we should still send the error text back,
indicating that the dependent modifications failed. I think the answer
is no, because most clients won't look for any error text upon receiving
an LDAP_SUCCESS result anyway, and it's really just an internal note
anyway. Clients aren't aware of the refint activity, and can't alter
their behavior in response to it regardless.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/