OpenLDAP referential integrity
From Zarafa wiki
m |
|||
| Line 1: | Line 1: | ||
| - | When using an OpenLDAP directory for Zarafa certain attributes contain a link to another object in the directory. | + | When using an OpenLDAP directory for Zarafa, certain attributes contain a link to another object in the directory. |
| - | + | Examples of these kind of attributes are zarafaSendAsPrivilege, group member and zarafaViewPrivilege. | |
<pre> | <pre> | ||
| Line 39: | Line 39: | ||
| - | In this example the mary has sendas privilege on John, as the DN is added in the ''zarafaSendAsPrivilege'' attribute. | + | In this example the user "mary" has sendas privilege on John, as the DN is added in the ''zarafaSendAsPrivilege'' attribute. |
In a default OpenLDAP configuration removing the user john will leave the DN in the ''zarafaSendAsPrivilege'' attribute on the user mary, so the LDAP directory will be polluted. Also when renaming the username of John, the DN entry will not automatically change. | In a default OpenLDAP configuration removing the user john will leave the DN in the ''zarafaSendAsPrivilege'' attribute on the user mary, so the LDAP directory will be polluted. Also when renaming the username of John, the DN entry will not automatically change. | ||
| - | To solve this behaviour the OpenLDAP overlay module Refint can be used. | + | To solve this behaviour the OpenLDAP overlay module "Refint" can be used. |
| - | To use the module it's important to keep in mind | + | To use the module it's important to keep in mind that the referentials '''only''' work for DN attributes. |
| - | In case the ''zarafaSendAsPrivilege'' or group ''member'' attribute contain | + | In case the ''zarafaSendAsPrivilege'' or group ''member'' attribute only contain a username, this module can NOT be used for these attributes. |
| Line 60: | Line 60: | ||
| - | If we removed all users from the directory | + | If we removed all users from the directory which are a member of this group, the end result would be a single member in the group: cn=admin,dc=example,dc=com. |
This is the refint_nothing parameter kicking into action so that the schema is not violated. | This is the refint_nothing parameter kicking into action so that the schema is not violated. | ||
| Line 71: | Line 71: | ||
If you are using an OpenLDAP configuration with dynamic configuration, please check the ''slapd-config'' manpage how to enable the module and configure it. | If you are using an OpenLDAP configuration with dynamic configuration, please check the ''slapd-config'' manpage how to enable the module and configure it. | ||
| - | After the configuration is done, the behaviour can be | + | After the configuration is done, the behaviour can be tested by renaming the uid of John to something else and check if the DN is modified in ''zarafaSendAsPrivilege'' on the user Mary. When John is completely deleted from the LDAP directory, the DN referal to John should be removed on the user Mary. |
For more information, see also the OpenLDAP overlay document http://www.openldap.org/doc/admin24/overlays.html in chapter 12.11. | For more information, see also the OpenLDAP overlay document http://www.openldap.org/doc/admin24/overlays.html in chapter 12.11. | ||
Latest revision as of 12:18, 15 November 2012
When using an OpenLDAP directory for Zarafa, certain attributes contain a link to another object in the directory. Examples of these kind of attributes are zarafaSendAsPrivilege, group member and zarafaViewPrivilege.
dn: uid=mary,ou=People,dc=example,dc=com objectClass: posixAccount objectClass: top objectClass: zarafa-user objectClass: inetOrgPerson gidNumber: 1000 cn: Mary Poppins homeDirectory: /home/mary mail: mary@example.com uidNumber: 1001 uid: mary zarafaAccount: 1 zarafaAdmin: 0 sn: Poppins dn: uid=john,ou=People,dc=example,dc=com objectClass: posixAccount objectClass: top objectClass: zarafa-user objectClass: inetOrgPerson gidNumber: 1000 cn: John Doe homeDirectory: /home/john mail: john@example.com uidNumber: 1000 zarafaAliases: j.doe@example.com zarafaUserServer: node1 uid: john zarafaAccount: 1 zarafaAdmin: 0 sn: Doe userPassword: john zarafaSendAsPrivilege: uid=mary,ou=People,dc=example,dc=com
In this example the user "mary" has sendas privilege on John, as the DN is added in the zarafaSendAsPrivilege attribute.
In a default OpenLDAP configuration removing the user john will leave the DN in the zarafaSendAsPrivilege attribute on the user mary, so the LDAP directory will be polluted. Also when renaming the username of John, the DN entry will not automatically change.
To solve this behaviour the OpenLDAP overlay module "Refint" can be used.
To use the module it's important to keep in mind that the referentials only work for DN attributes.
In case the zarafaSendAsPrivilege or group member attribute only contain a username, this module can NOT be used for these attributes.
To load and configure the module, add the following lines to the OpenLDAP slapd.conf file.
overlay refint refint_attributes zarafaSendAsPrivilege zarafaViewPrivilege zarafaAdminPrivilege member refint_nothing <string>
If we removed all users from the directory which are a member of this group, the end result would be a single member in the group: cn=admin,dc=example,dc=com.
This is the refint_nothing parameter kicking into action so that the schema is not violated.
Restart the OpenLDAP process to active the changes.
/etc/init.d/slapd restart
If you are using an OpenLDAP configuration with dynamic configuration, please check the slapd-config manpage how to enable the module and configure it.
After the configuration is done, the behaviour can be tested by renaming the uid of John to something else and check if the DN is modified in zarafaSendAsPrivilege on the user Mary. When John is completely deleted from the LDAP directory, the DN referal to John should be removed on the user Mary.
For more information, see also the OpenLDAP overlay document http://www.openldap.org/doc/admin24/overlays.html in chapter 12.11.
