[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6825) unique_uri filter reaching beyond its intended target
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6825) unique_uri filter reaching beyond its intended target
- From: hyc@symas.com
- Date: Thu, 3 Feb 2011 23:25:15 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
subbarao@computer.org wrote:
> Full_Name: Kartik Subbarao
> Version: 2.4.23
> OS: Debian Linux 5.0.5
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (76.99.175.5)
>
>
> I have the uniqueness overlay configured as follows in slapd.conf:
>
> overlay unique
> unique_uri ldap:///?gidNumber?sub?(objectClass=posixGroup)
>
> The policy I want to enforce is that all posixGroup entries must have a unique
> gidNumber attribute. At the same time, I want to *allow* non-posixGroup entries
> (such as inetOrgPerson) to have the same gidNumber attribute that a posixGroup
> entry has. This is so that a user can have a login group id set to that of an
> existing group.
>
> With the above configuration in place, if I create a posixGroup entry with
> gidNumber 389, and then try to add a gidNumber attribute of 389 to an
> inetOrgPerson entry, the operation fails with a constraint error "some
> attributes not unique".
>
> As I read the manpage for slapo-unique, the unique_uri filter seems to support
> the functionality that I want:
>
> =====
> The filter component causes the domain to apply uniqueness constraints only to
> matching objects. e.g. ldap:///?cn?sub?(sn=e*) would require unique cn
> attributes for
> all objects in the subtree of the back-end database whose sn starts with an e.
> =====
>
> I'm inferring from this that uniqueness constraints on the cn attribute would
> *not* be applied to objects that don't match the filter. But that doesn't seem
> to be happening here. Is this a bug in the uniqueness overlay or am I not
> understanding the implementation?
Looks like a bug, the filter check is only implemented for Add operations, not
for Modify or ModDN.
In the meantime, as a workaround you should simply use a more fully qualified
URI. Restrict the URI to the ou containing your posixGroup entries. Since user
names and group names are separate name spaces in POSIX, you cannot store them
both in the same branches of a DIT anyway.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/