[Freeipa-devel] Ticket #2866 - referential integrity in IPA

Dmitri Pal dpal at redhat.com
Mon Aug 27 18:34:10 UTC 2012 

On 08/27/2012 11:25 AM, Rich Megginson wrote:
> On 08/27/2012 06:41 AM, Dmitri Pal wrote:
>> On 08/17/2012 10:00 AM, Rich Megginson wrote:
>>> On 08/17/2012 07:44 AM, Martin Kosek wrote:
>>>> Hi guys,
>>>>
>>>> I am now investigating ticket #2866:
>>>> https://fedorahosted.org/freeipa/ticket/2866
>>>>
>>>> And I am thinking about possible solutions for this problem. In a
>>>> nutshell, we do not properly check referential integrity in some IPA
>>>> objects where we keep one-way DN references to other objects, e.g. in
>>>> - managedBy attribute for a host object
>>>> - memberhost attribute for HBAC rule object
>>>> - memberuser attribute for user object
>>>> - memberallowcmd or memberdenycmd for SUDO command object (reported in
>>>> #2866)
>>>> ...
>>>>
>>>> Currently, I see 2 approaches to solve this:
>>>> 1) Add relevant checks to our ipalib plugins where problematic
>>>> operations with these operations are being executed (like we do for
>>>> selinuxusermap's seealso attribute in HBAC plugin)
>>>> This of course would not prevent direct LDAP deletes.
>>>>
>>>> 2) Implement a preop DS plugin that would hook to MODRDN and DELETE
>>>> callbacks and check that this object's DN is not referenced in other
>>>> objects. And if it does, it would reject such modification. Second
>>>> option would be to delete the attribute value with now invalid
>>>> reference. This would be probably  more suitable for example for
>>>> references to user objects.
>>>>
>>>> Any comments to these possible approaches are welcome.
>>>>
>>>> Rich, do you think that as an alternative to these 2 approaches,
>>>> memberOf plugin could be eventually modified to do this task?
>>> This is very similar to the referential integrity plugin already in
>>> 389, except instead of cleaning up references to moved and deleted
>>> entries, you want it to prevent moving or deleting an entry if that
>>> entry is referenced by the
>>> managedby/memberhost/memberuser/memberallowcmd/memberdenycmd of some
>>> other entry.
>>>
>>> Note that the managed entry plugin (mep) already handles this for the
>>> managedby attribute.
>>>
>>> Are you already using the memberof plugin for
>>> memberhost/memberuser/memberallowcmd/memberdenycmd?
>>>
>>> This doesn't seem like a job for memberof, this seems like more of a
>>> new check for the referential integrity plugin.
>> Did it translate into a DS ticket?
> No.  Is there an IPA ticket to link to?

Yes, the one at the top of this email.

>> I suspect it is not a big change and would solve a bunch of ugly
>> referential integrity problems.
>>
>>>> Thank you,
>>>> Martin
>>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list