OpenLDAP referential integrity

From Zarafa wiki

Revision as of 12:02, 15 November 2012 by Admin (Talk | contribs)
Jump to: navigation, search

When using an OpenLDAP directory for Zarafa certain attributes contain a link to another object in the directory. Example of this kind of attributes are zarafaSendAsPrivilege, group member and zarafaViewPrivilege.

dn: uid=mary,ou=People,dc=example,dc=com
objectClass: posixAccount
objectClass: top
objectClass: zarafa-user
objectClass: inetOrgPerson
gidNumber: 1000
cn: Mary Poppins
homeDirectory: /home/mary
mail: mary@example.com
uidNumber: 1001
uid: mary
zarafaAccount: 1
zarafaAdmin: 0
sn: Poppins

dn: uid=john,ou=People,dc=example,dc=com
objectClass: posixAccount
objectClass: top
objectClass: zarafa-user
objectClass: inetOrgPerson
gidNumber: 1000
cn: John Doe
homeDirectory: /home/john
mail: john@example.com
uidNumber: 1000
zarafaAliases: j.doe@example.com
zarafaUserServer: node1
uid: john
zarafaAccount: 1
zarafaAdmin: 0
sn: Doe
userPassword: john
zarafaSendAsPrivilege: uid=mary,ou=People,dc=example,dc=com


In this example the mary has sendas privilege on John, as the DN is added in the zarafaSendAsPrivilege attribute.

In a default OpenLDAP configuration removing the user john will leave the DN in the zarafaSendAsPrivilege attribute on the user mary, so the LDAP directory will be polluted. Also when renaming the username of John, the DN entry will not automatically change.


To solve this behaviour the OpenLDAP overlay module Refint can be used.


To use the module it's important to keep in mind, the referentials only work for DN attributes. In case the zarafaSendAsPrivilege or group member attribute contain only a username, this doesn't module can be used for these attributes.


To load and configure the module, add the following lines to the OpenLDAP slapd.conf file.

overlay refint
refint_attributes zarafaSendAsPrivilege zarafaViewPrivilege zarafaAdminPrivilege member
refint_nothing <string>


If we removed all users from the directory who are a member of this group, then the end result would be a single member in the group: cn=admin,dc=example,dc=com. This is the refint_nothing parameter kicking into action so that the schema is not violated.


Restart the OpenLDAP process to active the changes.

/etc/init.d/slapd restart


If you are using an OpenLDAP configuration with dynamic configuration, please check the slapd-config manpage how to enable the module and configure it.

After the configuration is done, the behaviour can be test by renaming the uid of John to something else and check if the DN is modified in zarafaSendAsPrivilege on the user Mary. When John is completely deleted from the LDAP directory, the DN referal to John should be removed on the user Mary.

For more information, see also the OpenLDAP overlay document http://www.openldap.org/doc/admin24/overlays.html in chapter 12.11.

Personal tools