On 08/27/2012 11:25 AM, Rich Megginson wrote: > On 08/27/2012 06:41 AM, Dmitri Pal wrote: >> On 08/17/2012 10:00 AM, Rich Megginson wrote: >>> On 08/17/2012 07:44 AM, Martin Kosek wrote: >>>> Hi guys, >>>> >>>> I am now investigating ticket #2866: >>>> https://fedorahosted.org/freeipa/ticket/2866 >>>> >>>> And I am thinking about possible solutions for this problem. In a >>>> nutshell, we do not properly check referential integrity in some IPA >>>> objects where we keep one-way DN references to other objects, e.g. in >>>> - managedBy attribute for a host object >>>> - memberhost attribute for HBAC rule object >>>> - memberuser attribute for user object >>>> - memberallowcmd or memberdenycmd for SUDO command object (reported in >>>> #2866) >>>> ... >>>> >>>> Currently, I see 2 approaches to solve this: >>>> 1) Add relevant checks to our ipalib plugins where problematic >>>> operations with these operations are being executed (like we do for >>>> selinuxusermap's seealso attribute in HBAC plugin) >>>> This of course would not prevent direct LDAP deletes. >>>> >>>> 2) Implement a preop DS plugin that would hook to MODRDN and DELETE >>>> callbacks and check that this object's DN is not referenced in other >>>> objects. And if it does, it would reject such modification. Second >>>> option would be to delete the attribute value with now invalid >>>> reference. This would be probably more suitable for example for >>>> references to user objects. >>>> >>>> Any comments to these possible approaches are welcome. >>>> >>>> Rich, do you think that as an alternative to these 2 approaches, >>>> memberOf plugin could be eventually modified to do this task? >>> This is very similar to the referential integrity plugin already in >>> 389, except instead of cleaning up references to moved and deleted >>> entries, you want it to prevent moving or deleting an entry if that >>> entry is referenced by the >>> managedby/memberhost/memberuser/memberallowcmd/memberdenycmd of some >>> other entry. >>> >>> Note that the managed entry plugin (mep) already handles this for the >>> managedby attribute. >>> >>> Are you already using the memberof plugin for >>> memberhost/memberuser/memberallowcmd/memberdenycmd? >>> >>> This doesn't seem like a job for memberof, this seems like more of a >>> new check for the referential integrity plugin. >> Did it translate into a DS ticket? > No. Is there an IPA ticket to link to?
Yes, the one at the top of this email. >> I suspect it is not a big change and would solve a bunch of ugly >> referential integrity problems. >> >>>> Thank you, >>>> Martin >>>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipaemail@example.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > > _______________________________________________ > Freeipa-devel mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel