[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8245) slapo-unique constraints bypassed by manageDsaIt, change to relax?



On Tue, Sep 22, 2015 at 08:45:12PM +0000, ondra@mistotebe.net wrote:
> On Tue, Sep 22, 2015 at 09:01:59AM +0000, geert@hendrickx.be wrote:
>> For clarity I do agree that a control should exist to bypass uniqueness
>> (and other) constraints.  However I think manageDSAit is not the
>> appropriate control by its definition, and also in practice given the
>> fact it's set per default by popular client libs.
>> 
>> Relax Rules seems much more appropriate for this use case, as it's intended
>> to temporarily relax database constraints, for administrative use only.
> 
> Yes, Relax control is better for manual bypass. We just need to make
> sure the original issue that this code was created to address is not
> reintroduced. ITS#6641 was put up to allow replication to bypass this
> overlay and anything that was already loaded to one master should
> happily replicate everywhere else. At that point, manageDSAit was the
> only way I could find to distinguish an operation coming from syncrepl,
> it seems that the constraint overlay has a more reliable check so that
> might be a better idea.
> 
> Patch to that effect is here:
> ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20150922-ITS-8245-unique-relax.patch

Given that relax control is still allowed for everyone (and no ACL
support for controls exists yet), this patch will buy us little. I have
updated the test suite accordingly so that this can be merged when
OpenLDAP is ready:
ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170330-ITS-8245-unique-relax.patch

-- 
OndÅ?ej Kuzník
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP