[Freeipa-devel] Ticket #2866 - referential integrity in IPA

Dmitri Pal dpal at redhat.com
Mon Aug 27 12:40:04 UTC 2012 

On 08/17/2012 10:00 AM, Rich Megginson wrote:
> On 08/17/2012 07:44 AM, Martin Kosek wrote:
>> Hi guys,
>>
>> I am now investigating ticket #2866:
>> https://fedorahosted.org/freeipa/ticket/2866
>>
>> And I am thinking about possible solutions for this problem. In a
>> nutshell, we do not properly check referential integrity in some IPA
>> objects where we keep one-way DN references to other objects, e.g. in
>> - managedBy attribute for a host object
>> - memberhost attribute for HBAC rule object
>> - memberuser attribute for user object
>> - memberallowcmd or memberdenycmd for SUDO command object (reported in
>> #2866)
>> ...
>>
>> Currently, I see 2 approaches to solve this:
>> 1) Add relevant checks to our ipalib plugins where problematic
>> operations with these operations are being executed (like we do for
>> selinuxusermap's seealso attribute in HBAC plugin)
>> This of course would not prevent direct LDAP deletes.
>>
>> 2) Implement a preop DS plugin that would hook to MODRDN and DELETE
>> callbacks and check that this object's DN is not referenced in other
>> objects. And if it does, it would reject such modification. Second
>> option would be to delete the attribute value with now invalid
>> reference. This would be probably  more suitable for example for
>> references to user objects.
>>
>> Any comments to these possible approaches are welcome.
>>
>> Rich, do you think that as an alternative to these 2 approaches,
>> memberOf plugin could be eventually modified to do this task?
>
> This is very similar to the referential integrity plugin already in
> 389, except instead of cleaning up references to moved and deleted
> entries, you want it to prevent moving or deleting an entry if that
> entry is referenced by the
> managedby/memberhost/memberuser/memberallowcmd/memberdenycmd of some
> other entry.
>
> Note that the managed entry plugin (mep) already handles this for the
> managedby attribute.
>
> Are you already using the memberof plugin for
> memberhost/memberuser/memberallowcmd/memberdenycmd?
>
> This doesn't seem like a job for memberof, this seems like more of a
> new check for the referential integrity plugin.

Did it translate into a DS ticket?
I suspect it is not a big change and would solve a bunch of ugly
referential integrity problems.

>
>>
>> Thank you,
>> Martin
>>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list