From c0630950a170cc9c0fa68256ff606589641bc812 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Wed, 12 Sep 2012 10:00:35 +0200 Subject: Expand Referential Integrity checks Many attributes in IPA (e.g. manager, memberuser, managedby, ...) are used to store DNs of linked objects in IPA (users, hosts, sudo commands, etc.). However, when the linked objects is deleted or renamed, the attribute pointing to it stays with the objects and thus may create a dangling link causing issues in client software reading the data. Directory Server has a plugin to enforce referential integrity (RI) by checking DEL and MODRDN operations and updating affected links. It was already used for manager and secretary attributes and should be expanded for the missing attributes to avoid dangling links. As a prerequisite, all attributes checked for RI must have pres and eq indexes to avoid performance issues. Thus, the following indexes are added: * manager (pres index only) * secretary (pres index only) * memberHost * memberUser * sourcehost * memberservice * managedby * memberallowcmd * memberdenycmd * ipasudorunas * ipasudorunasgroup Referential Integrity plugin is updated to enforce RI for all these attributes. Unit tests covering RI checks for all these attributes were added as well. Note: this update will only fix RI on one master as RI plugin does not check replicated operations. https://fedorahosted.org/freeipa/ticket/2866 --- install/updates/20-indices.update | 68 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) (limited to 'install/updates/20-indices.update') diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index ecca02766..80ac66c8a 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -26,6 +26,9 @@ default:ObjectClass: nsIndex default:nsSystemIndex: false default:nsIndexType: eq +dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +add:nsIndexType: pres + dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config default:cn: memberUser default:ObjectClass: top @@ -33,6 +36,9 @@ default:ObjectClass: nsIndex default:nsSystemIndex: false default:nsIndexType: eq +dn: cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only: nsIndexType: eq,pres + dn: cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config default:cn: fqdn default:ObjectClass: top @@ -48,3 +54,65 @@ default:ObjectClass: nsIndex default:nsSystemIndex: false default:nsIndexType: eq default:nsIndexType: pres + +dn: cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only: nsIndexType: eq,pres + +dn: cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +only: nsIndexType: eq,pres + +dn: cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: sourcehost +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +default:nsIndexType: eq +default:nsIndexType: pres + +dn: cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: memberservice +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +default:nsIndexType: eq +default:nsIndexType: pres + +dn: cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: managedby +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +default:nsIndexType: eq +default:nsIndexType: pres + +dn: cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: memberallowcmd +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +default:nsIndexType: eq +default:nsIndexType: pres + +dn: cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: memberdenycmd +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +default:nsIndexType: eq +default:nsIndexType: pres + +dn: cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ipasudorunas +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +default:nsIndexType: eq +default:nsIndexType: pres + +dn: cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ipasudorunasgroup +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +default:nsIndexType: eq +default:nsIndexType: pres -- cgit