[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7820) slapo-constraint falsely allows add with count 1

On 03/15/2014 05:38 PM, michael@stroeder.com wrote:
> Full_Name:
> Version: 2.4.39
> OS: not relevant
> URL:
> Submission from: (NULL) (
> Not sure whether this is a regression caused by the fix for ITS#7773.
> Given this constraint:
> constraint_attribute
>    uid
>    count 1
>    restrict="ldap:///ou=example??sub?(objectClass=account)"
> One can still add two 'uid' values when sending an add request like this:
> dn: uid=test1,ou=example
> changetype: add
> objectClass: account
> uid: test2
> [..]
> Generally I don't like this magic of accepting both attribute values from DN and
> entry. :-/

Indeed, the check (and magic) of adding distinguished value(s) to entry 
occurs during entry_naming_check(), which occurs during 
entry_schema_check(), which occurs in the backend add operations, right 
after overlays had a chance to look at the entry.

2 approaches:
a) anticipate naming check
b) duplicate naming check in slapo-constraint

(b) is a waste, but "localized"; not sure what would be the side effects 
of (a).


Pierangelo Masarati
Associate Professor
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano