[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: uniqueness constraint violated when using ldapadd -M

To: Michael Ströder <michael@stroeder.com>, openldap-technical@openldap.org
Subject: Re: uniqueness constraint violated when using ldapadd -M
From: Geert Hendrickx <geert@hendrickx.be>
Date: Mon, 7 Sep 2015 22:25:17 +0200
Cc: Howard Chu <hyc@symas.com>, Pierangelo Masarati <pierangelo.masarati@polimi.it>
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=hendrickx.be; s=geert; t=1441657517; bh=+NPhHW3U6oq/OwCSEshSwDq08Wt/9UsOf9uBXYnOTes=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=zHc0p6xD7jaAtKHiChapenE1lX/uNWKGlp6D1+iH+YvC06stk1gwG8vzUjHt68u7s 1vQjU4g6pB4Izz6nvGJCtqRNBWHLEKYc/GDVXl6RCMP3tnHYzilqyGluJqKm1CC/1v PUgk0gayy+u/MgePYRFkfJMt6g2eCqMsIuZVhioWEah6mi5mbEXw6cjuksFxFFmIzl TM3CDH1CodwADmRY4skSs1WE4pA+zT2oX7pWFM6z53k8uAPybeNrqajmuMQwDuWCZ2 ixGp18oDmyBtKCV9q6jzSeM2N42HzfEEWn9GOe7KIgSxIQ+GGXLyxFKlVOXefKFy4Q PhVuJPJScliIw==
In-reply-to: <20150902121518.GA6592@vera.ghen.be>
References: <20150824132523.GA13533@vera.ghen.be> <55DC6391.7030505@symas.com> <20150825131222.GA19054@vera.ghen.be> <20150825140748.GA19293@vera.ghen.be> <55E6D8A0.7020608@stroeder.com> <20150902121518.GA6592@vera.ghen.be>
User-agent: Mutt/1.5.24 (2015-08-30)

On Wed, Sep 02, 2015 at 14:15:18 +0200, Geert Hendrickx wrote:
> On Wed, Sep 02, 2015 at 13:08:16 +0200, Michael Ströder wrote:
> > Geert Hendrickx wrote:
> > > It's still not clear for me what is the link between the Manage DSA IT
> > > control and uniqueness constraint.  From RFC 3296 defining the control:
> > > [..]
> > 
> > IIRC Pierangelo used the Manage DSA IT control for that use-case because
> > the Relax Rules control wasn't defined at that time. Yes, I also consider
> > this to be a flaw because JNDI sends along Manage DSA IT control by
> > default.
> > 
> 
> 
> Hi,
> 
> I'm not familiar with the inner details, but could it be that there has
> been confusion between "Manage DSA IT" control (RFC 3296) and "ManageDIT"
> control which has been obsoleted/replaced by the Relax Rules control?



This documentation ITS seems to confirm the (deliberate?) confusion between
the ManageDsaIt and ManageDIT/Relax controls as well:

http://www.openldap.org/its/index.cgi/Documentation?id=7795

> I vaguely remember that before the birth of draft-zeilenga-ldap-relax
> some (overlays?) misused the Manage DSA IT control for that purpose.

> "manageDIT" was renamed to "relax" because it was too similar to
> "manageDSAit".  Besides, although its use is intrinsically related to
> performing administrative operations, it is specifically meant to work
> around rules that make sense from a data model point of view but may
> need to be circumvented *during* "special" operations.


To implement a bypass of uniquness constraints, the relax control seems
much more appropriate than ManageDsaIt.

The attached patch works for me.  Should I file an ITS for slapo-unique?


	Geert


-- 
geert.hendrickx.be :: geert@hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!

--- servers/slapd/overlays/unique.c	2015-08-14 17:25:28.000000000 +0200
+++ servers/slapd/overlays/unique.c	2015-09-07 22:00:44.217833199 +0200
@@ -1038,9 +1038,8 @@
 	Debug(LDAP_DEBUG_TRACE, "==> unique_add <%s>\n",
 	      op->o_req_dn.bv_val, 0, 0);
 
-	/* skip the checks if the operation has manageDsaIt control in it
-	 * (for replication) */
-	if ( op->o_managedsait > SLAP_CONTROL_IGNORED
+	/* skip the checks if the operation has relax control in it */
+	if ( op->o_relax > SLAP_CONTROL_IGNORED
 	     && access_allowed ( op, op->ora_e,
 				 slap_schema.si_ad_entry, NULL,
 				 ACL_MANAGE, NULL ) ) {
@@ -1170,9 +1169,8 @@
 	Debug(LDAP_DEBUG_TRACE, "==> unique_modify <%s>\n",
 	      op->o_req_dn.bv_val, 0, 0);
 
-	/* skip the checks if the operation has manageDsaIt control in it
-	 * (for replication) */
-	if ( op->o_managedsait > SLAP_CONTROL_IGNORED
+	/* skip the checks if the operation has relax control in it */
+	if ( op->o_relax > SLAP_CONTROL_IGNORED
 	     && overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
 	     && e
 	     && access_allowed ( op, e,
@@ -1301,9 +1299,8 @@
 	Debug(LDAP_DEBUG_TRACE, "==> unique_modrdn <%s> <%s>\n",
 		op->o_req_dn.bv_val, op->orr_newrdn.bv_val, 0);
 
-	/* skip the checks if the operation has manageDsaIt control in it
-	 * (for replication) */
-	if ( op->o_managedsait > SLAP_CONTROL_IGNORED
+	/* skip the checks if the operation has relax control in it */
+	if ( op->o_relax > SLAP_CONTROL_IGNORED
 	     && overlay_entry_get_ov(op, &op->o_req_ndn, NULL, NULL, 0, &e, on) == LDAP_SUCCESS
 	     && e
 	     && access_allowed ( op, e,

References:
- Re: uniqueness constraint violated when using ldapadd -M
  - From: Michael Ströder <michael@stroeder.com>
- Re: uniqueness constraint violated when using ldapadd -M
  - From: Geert Hendrickx <geert@hendrickx.be>

Prev by Date: basedn vs binddn
Next by Date: Re: ldapmodrdn accented characters with windows client
Index(es):
- Chronological
- Thread