OpenLDAP referential integrity
From Zarafa wiki
When using an OpenLDAP directory for Zarafa, certain attributes contain a link to another object in the directory. Examples of these kind of attributes are zarafaSendAsPrivilege, group member and zarafaViewPrivilege.
dn: uid=mary,ou=People,dc=example,dc=com objectClass: posixAccount objectClass: top objectClass: zarafa-user objectClass: inetOrgPerson gidNumber: 1000 cn: Mary Poppins homeDirectory: /home/mary mail: [email protected] uidNumber: 1001 uid: mary zarafaAccount: 1 zarafaAdmin: 0 sn: Poppins dn: uid=john,ou=People,dc=example,dc=com objectClass: posixAccount objectClass: top objectClass: zarafa-user objectClass: inetOrgPerson gidNumber: 1000 cn: John Doe homeDirectory: /home/john mail: [email protected] uidNumber: 1000 zarafaAliases: [email protected] zarafaUserServer: node1 uid: john zarafaAccount: 1 zarafaAdmin: 0 sn: Doe userPassword: john zarafaSendAsPrivilege: uid=mary,ou=People,dc=example,dc=com
In this example the user "mary" has sendas privilege on John, as the DN is added in the zarafaSendAsPrivilege attribute.
In a default OpenLDAP configuration removing the user john will leave the DN in the zarafaSendAsPrivilege attribute on the user mary, so the LDAP directory will be polluted. Also when renaming the username of John, the DN entry will not automatically change.
To solve this behaviour the OpenLDAP overlay module "Refint" can be used.
To use the module it's important to keep in mind that the referentials only work for DN attributes. In case the zarafaSendAsPrivilege or group member attribute only contain a username, this module can NOT be used for these attributes.
To load and configure the module, add the following lines to the OpenLDAP slapd.conf file.
overlay refint refint_attributes zarafaSendAsPrivilege zarafaViewPrivilege zarafaAdminPrivilege member refint_nothing <string>
If we removed all users from the directory which are a member of this group, the end result would be a single member in the group: cn=admin,dc=example,dc=com. This is the refint_nothing parameter kicking into action so that the schema is not violated.
Restart the OpenLDAP process to active the changes.
If you are using an OpenLDAP configuration with dynamic configuration, please check the slapd-config manpage how to enable the module and configure it.
After the configuration is done, the behaviour can be tested by renaming the uid of John to something else and check if the DN is modified in zarafaSendAsPrivilege on the user Mary. When John is completely deleted from the LDAP directory, the DN referal to John should be removed on the user Mary.
For more information, see also the OpenLDAP overlay document http://www.openldap.org/doc/admin24/overlays.html in chapter 12.11.