Fedora directory users - Nov 2006 - Questions about the referential integrity plug-in

Hello

I tried the referential integrity plug-in and it worked as expected with 
single master environment and groupofnames and groupofuniquenames groups.
I read the admin guide but there were some things that I did not fully 
understand:

1. How about multimaster environment, if I have servers A and B and I enable 
plug-in to server A. When change is done to the server B, server A shoud make 
deletions ar modifications to the directory.

But what if the server A is down for maintenance and user is deleted from 
server B, what happends? Does the server A do anything when it is started 
after maintenance?

2. How to enable referential integrity to the memberUid attribute?
I have user cn=user,c=fi that has uid=user and that user is added to group 
example so that there is attribute memberUid=user.
When user is deleted, uid should be removed from example group. How to achieve 
this?
I tried to add nsslapd-pluginarg7=memberUid to the plugin but it did not work.

I''m testing this with FC4 and FDS 1.0.4.

Best Regards
Kimmo Koivisto

This is what we recommend ...

http://www.redhat.com/docs/manuals/dir-server/ag/7.1/modify.html


      How Referential Integrity Works

When the Referential Integrity Plug-in (see "Referential Integrity 
Postoperation Plug-in," on page 510 
<http://www.redhat.com/docs/manuals/dir-server/ag/7.1/plgintro.html#1080987>)
is enabled, it performs integrity updates on specified attributes 
immediately after a delete or rename operation. By default, the 
Referential Integrity Plug-in is disabled.


Note
	

The Referential Integrity Plug-in should only be enabled on one supplier 
replica in a multi-master replication environment to avoid conflict 
resolution loops. When enabling the plug-in on servers issuing chaining 
requests, be sure to analyze your performance resource and time needs, 
as well as your integrity needs. Integrity checks can be time-consuming 
and draining on memory/CPU.



Kimmo Koivisto wrote:
>Hello
>
>I tried the referential integrity plug-in and it worked as expected with 
>single master environment and groupofnames and groupofuniquenames groups.
>I read the admin guide but there were some things that I did not fully 
>understand:
>
>1. How about multimaster environment, if I have servers A and B and I enable
>plug-in to server A. When change is done to the server B, server A shoud
make
>deletions ar modifications to the directory.
>
>But what if the server A is down for maintenance and user is deleted from 
>server B, what happends? Does the server A do anything when it is started 
>after maintenance?
>
>2. How to enable referential integrity to the memberUid attribute?
>I have user cn=user,c=fi that has uid=user and that user is added to group 
>example so that there is attribute memberUid=user.
>When user is deleted, uid should be removed from example group. How to
achieve
>this?
>I tried to add nsslapd-pluginarg7=memberUid to the plugin but it did not
work.
>
>I''m testing this with FC4 and FDS 1.0.4.
>
>Best Regards
>Kimmo Koivisto
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Kimmo Koivisto wrote:
> Hello
>
> I tried the referential integrity plug-in and it worked as expected with 
> single master environment and groupofnames and groupofuniquenames groups.
> I read the admin guide but there were some things that I did not fully 
> understand:
>
> 1. How about multimaster environment, if I have servers A and B and I
enable
> plug-in to server A. When change is done to the server B, server A shoud
make
> deletions ar modifications to the directory.
>   
No.  The referint plug-in will not replicate changes.  From referint.c:
    /* this plugin should only execute if the operation was successful
       and this is not a replicated op
    */
    if(oprc != 0 || isrepop){
      return( 0 );
    }

So you should enable the referint plug-in on all
servers.
> But what if the server A is down for maintenance and user is deleted from 
> server B, what happends? Does the server A do anything when it is started 
> after maintenance?
>   
Once the server is restarted it will attempt to resync with the other 
server.  Both the external deletion and the internal modification 
operation will be replicated to the other server.
> 2. How to enable referential integrity to the memberUid attribute?
> I have user cn=user,c=fi that has uid=user and that user is added to group 
> example so that there is attribute memberUid=user.
>   
Is value of memberUid the full DN of the user or just the userid?  I 
don''t think it will work, in either case.  If it is the full DN, then 
the syntax definition is not correct - memberUid has SYNTAX for case 
sensitive string, but it would need to have 
1.3.6.1.4.1.1466.115.121.1.12 distinguished name in order for equality 
seaches to work correctly.

If memberUid is just the user id, then referential integrity won''t work
because it was only designed to deal with DN valued attributes, such as 
member, uniquemember, owner, and seeAlso.

I think you would have to change the referential integrity code to use 
attributes other than the DN to look up the entries to change the 
references to.
> When user is deleted, uid should be removed from example group. How to
achieve
> this?
> I tried to add nsslapd-pluginarg7=memberUid to the plugin but it did not
work.
>
> I''m testing this with FC4 and FDS 1.0.4.
>
> Best Regards
> Kimmo Koivisto
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>