uniqueness constraint violated when using ldapadd -M

[Geert Hendrickx <geert@hendrickx.be>]

Hi,

I noticed uniqueness constraints enforced by the slapo-unique overlay can
be bypassed when using the manage DSA IT control (ldapadd -M).

Using the following simple constraint:

overlay         unique
unique_uri      ldap:///?mail?sub

I get:

$ ldapadd -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret
dn: cn=test1,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test1
sn: test1
mail: test@my-domain.com

adding new entry "cn=test1,dc=my-domain,dc=com"

dn: cn=test2,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test2
sn: test2
mail: test@my-domain.com    <===== duplicate, violates uniqueness constraint

adding new entry "cn=test2,dc=my-domain,dc=com"
ldap_add: Constraint violation (19)
        additional info: some attributes not unique   <===== ok, as expected

Retrying with -M

$ ldapadd -M -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret
dn: cn=test2,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test2
sn: test2
mail: test@my-domain.com    <===== duplicate, violates uniqueness constraint

adding new entry "cn=test2,dc=my-domain,dc=com"   <===== but it is accepted?

$ ldapsearch -x -h localhost -b dc=my-domain,dc=com mail=test@my-domain.com
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope subtree
# filter: mail=test@my-domain.com
# requesting: ALL
#

# test1, my-domain.com
dn: cn=test1,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test1
sn: test1
mail: test@my-domain.com

# test2, my-domain.com
dn: cn=test2,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test2
sn: test2
mail: test@my-domain.com

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

The uniqueness constraint has been violated when using -M, while it was
correctly enforced without -M.  

Feature or bug?


	Geert


-- 
geert.hendrickx.be :: geert@hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!