[Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks
Martin Kosek
mkosek at redhat.com
Wed Sep 12 12:08:17 UTC 2012
To test, add sudo commands, hosts or users to a sudo rule or hbac rule and then
rename or delete the linked object. After the update, the links should be amended.
---------
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.
Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.
As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. The following indexes
have been added:
* manager (pres index only)
* secretary (pres index only)
* memberHost
* memberUser
* sourcehost
* memberservice
* managedby
* memberallowcmd
* memberdenycmd
* ipasudorunas
* ipasudorunasgroup
Referential Integrity plugin was updated to check all these
attributes.
Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.
https://fedorahosted.org/freeipa/ticket/2866
--
Martin Kosek <mkosek at redhat.com>
Senior Software Engineer - Identity Management Team
Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-305-add-attributeTypes-to-safe-schema-updater.patch
Type: text/x-patch
Size: 6467 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120912/054a3f33/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-306-amend-memberallowcmd-and-memberdenycmd-attribute-typ.patch
Type: text/x-patch
Size: 4864 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120912/054a3f33/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-307-run-index-task-in-ldap-updater-only-when-needed.patch
Type: text/x-patch
Size: 2813 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120912/054a3f33/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-308-expand-referential-integrity-checks.patch
Type: text/x-patch
Size: 11193 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120912/054a3f33/attachment-0003.bin>
More information about the Freeipa-devel
mailing list