[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8245) slapo-unique constraints bypassed by manageDsaIt, change to relax?
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8245) slapo-unique constraints bypassed by manageDsaIt, change to relax?
- From: ondra@mistotebe.net
- Date: Thu, 30 Mar 2017 12:34:13 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
On Tue, Sep 22, 2015 at 08:45:12PM +0000, ondra@mistotebe.net wrote:
> On Tue, Sep 22, 2015 at 09:01:59AM +0000, geert@hendrickx.be wrote:
>> For clarity I do agree that a control should exist to bypass uniqueness
>> (and other) constraints. However I think manageDSAit is not the
>> appropriate control by its definition, and also in practice given the
>> fact it's set per default by popular client libs.
>>
>> Relax Rules seems much more appropriate for this use case, as it's intended
>> to temporarily relax database constraints, for administrative use only.
>
> Yes, Relax control is better for manual bypass. We just need to make
> sure the original issue that this code was created to address is not
> reintroduced. ITS#6641 was put up to allow replication to bypass this
> overlay and anything that was already loaded to one master should
> happily replicate everywhere else. At that point, manageDSAit was the
> only way I could find to distinguish an operation coming from syncrepl,
> it seems that the constraint overlay has a more reliable check so that
> might be a better idea.
>
> Patch to that effect is here:
> ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20150922-ITS-8245-unique-relax.patch
Given that relax control is still allowed for everyone (and no ACL
support for controls exists yet), this patch will buy us little. I have
updated the test suite accordingly so that this can be merged when
OpenLDAP is ready:
ftp://ftp.openldap.org/incoming/Ondrej-Kuznik-20170330-ITS-8245-unique-relax.patch
--
OndÅ?ej KuznÃk
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP