[Freeipa-devel] Ticket #2866 - referential integrity in IPA
Martin Kosek
mkosek at redhat.com
Fri Aug 17 13:44:49 UTC 2012
Hi guys,
I am now investigating ticket #2866:
https://fedorahosted.org/freeipa/ticket/2866
And I am thinking about possible solutions for this problem. In a
nutshell, we do not properly check referential integrity in some IPA
objects where we keep one-way DN references to other objects, e.g. in
- managedBy attribute for a host object
- memberhost attribute for HBAC rule object
- memberuser attribute for user object
- memberallowcmd or memberdenycmd for SUDO command object (reported in
#2866)
...
Currently, I see 2 approaches to solve this:
1) Add relevant checks to our ipalib plugins where problematic
operations with these operations are being executed (like we do for
selinuxusermap's seealso attribute in HBAC plugin)
This of course would not prevent direct LDAP deletes.
2) Implement a preop DS plugin that would hook to MODRDN and DELETE
callbacks and check that this object's DN is not referenced in other
objects. And if it does, it would reject such modification. Second
option would be to delete the attribute value with now invalid
reference. This would be probably more suitable for example for
references to user objects.
Any comments to these possible approaches are welcome.
Rich, do you think that as an alternative to these 2 approaches,
memberOf plugin could be eventually modified to do this task?
Thank you,
Martin
More information about the Freeipa-devel
mailing list