Hi, I noticed uniqueness constraints enforced by the slapo-unique overlay can be bypassed when using the manage DSA IT control (ldapadd -M).
Using the following simple constraint: overlay unique unique_uri ldap:///?mail?sub I get: $ ldapadd -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret dn: cn=test1,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test1 sn: test1 mail: [email protected] adding new entry "cn=test1,dc=my-domain,dc=com" dn: cn=test2,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test2 sn: test2 mail: [email protected] <===== duplicate, violates uniqueness constraint adding new entry "cn=test2,dc=my-domain,dc=com" ldap_add: Constraint violation (19) additional info: some attributes not unique <===== ok, as expected Retrying with -M $ ldapadd -M -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret dn: cn=test2,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test2 sn: test2 mail: [email protected] <===== duplicate, violates uniqueness constraint adding new entry "cn=test2,dc=my-domain,dc=com" <===== but it is accepted? $ ldapsearch -x -h localhost -b dc=my-domain,dc=com [email protected] # extended LDIF # # LDAPv3 # base <dc=my-domain,dc=com> with scope subtree # filter: [email protected] # requesting: ALL # # test1, my-domain.com dn: cn=test1,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test1 sn: test1 mail: [email protected] # test2, my-domain.com dn: cn=test2,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test2 sn: test2 mail: [email protected] # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 The uniqueness constraint has been violated when using -M, while it was correctly enforced without -M. Feature or bug? Geert -- geert.hendrickx.be :: [email protected] :: PGP: 0xC4BB9E9F This e-mail was composed using 100% recycled spam messages!
