OpenLDAP referential integrity
From Zarafa wiki
When using an OpenLDAP directory for Zarafa certain attributes contain a link to another object in the directory. Example of this kind of attributes are zarafaSendAsPrivilege, group member and zarafaViewPrivilege.
dn: uid=mary,ou=People,dc=example,dc=com objectClass: posixAccount objectClass: top objectClass: zarafa-user objectClass: inetOrgPerson gidNumber: 1000 cn: Mary Poppins homeDirectory: /home/mary mail: mary@example.com uidNumber: 1001 uid: mary zarafaAccount: 1 zarafaAdmin: 0 sn: Poppins dn: uid=john,ou=People,dc=example,dc=com objectClass: posixAccount objectClass: top objectClass: zarafa-user objectClass: inetOrgPerson gidNumber: 1000 cn: John Doe homeDirectory: /home/john mail: john@example.com uidNumber: 1000 zarafaAliases: j.doe@example.com zarafaUserServer: node1 uid: john zarafaAccount: 1 zarafaAdmin: 0 sn: Doe userPassword: john zarafaSendAsPrivilege: uid=mary,ou=People,dc=example,dc=com
In this example the mary has sendas privilege on John, as the DN is added in the zarafaSendAsPrivilege attribute.
In a default OpenLDAP configuration removing the user john will leave the DN in the zarafaSendAsPrivilege attribute on the user mary, so the LDAP directory will be polluted. Also when renaming the username of John, the DN entry will not automatically change.
To solve this behaviour the OpenLDAP overlay module Refint can be used.
To use the module it's important to keep in mind, the referentials only work for DN attributes.
In case the zarafaSendAsPrivilege or group member attribute contain only a username, this doesn't module can be used for these attributes.
To load and configure the module, add the following lines to the OpenLDAP slapd.conf file.
overlay refint refint_attributes zarafaSendAsPrivilege zarafaViewPrivilege zarafaAdminPrivilege member refint_nothing <string>
If we removed all users from the directory who are a member of this group, then the end result would be a single member in the group: cn=admin,dc=example,dc=com.
This is the refint_nothing parameter kicking into action so that the schema is not violated.
Restart the OpenLDAP process to active the changes.
/etc/init.d/slapd restart
If you are using an OpenLDAP configuration with dynamic configuration, please check the slapd-config manpage how to enable the module and configure it.
After the configuration is done, the behaviour can be test by renaming the uid of John to something else and check if the DN is modified in zarafaSendAsPrivilege on the user Mary. When John is completely deleted from the LDAP directory, the DN referal to John should be removed on the user Mary.
For more information, see also the OpenLDAP overlay document http://www.openldap.org/doc/admin24/overlays.html in chapter 12.11.
