[Freeipa-devel] Ticket #2866 - referential integrity in IPA

Rich Megginson rmeggins at redhat.com
Fri Aug 17 14:00:24 UTC 2012 

On 08/17/2012 07:44 AM, Martin Kosek wrote:
> Hi guys,
>
> I am now investigating ticket #2866:
> https://fedorahosted.org/freeipa/ticket/2866
>
> And I am thinking about possible solutions for this problem. In a
> nutshell, we do not properly check referential integrity in some IPA
> objects where we keep one-way DN references to other objects, e.g. in
> - managedBy attribute for a host object
> - memberhost attribute for HBAC rule object
> - memberuser attribute for user object
> - memberallowcmd or memberdenycmd for SUDO command object (reported in
> #2866)
> ...
>
> Currently, I see 2 approaches to solve this:
> 1) Add relevant checks to our ipalib plugins where problematic
> operations with these operations are being executed (like we do for
> selinuxusermap's seealso attribute in HBAC plugin)
> This of course would not prevent direct LDAP deletes.
>
> 2) Implement a preop DS plugin that would hook to MODRDN and DELETE
> callbacks and check that this object's DN is not referenced in other
> objects. And if it does, it would reject such modification. Second
> option would be to delete the attribute value with now invalid
> reference. This would be probably  more suitable for example for
> references to user objects.
>
> Any comments to these possible approaches are welcome.
>
> Rich, do you think that as an alternative to these 2 approaches,
> memberOf plugin could be eventually modified to do this task?

This is very similar to the referential integrity plugin already in 389, 
except instead of cleaning up references to moved and deleted entries, 
you want it to prevent moving or deleting an entry if that entry is 
referenced by the 
managedby/memberhost/memberuser/memberallowcmd/memberdenycmd of some 
other entry.

Note that the managed entry plugin (mep) already handles this for the 
managedby attribute.

Are you already using the memberof plugin for 
memberhost/memberuser/memberallowcmd/memberdenycmd?

This doesn't seem like a job for memberof, this seems like more of a new 
check for the referential integrity plugin.

>
> Thank you,
> Martin
>

More information about the Freeipa-devel mailing list