Commit 49d6b681 authored by Côme Chilliet's avatar Côme Chilliet
Browse files

feat(core) Add config option to follow wildcard foreign keys

When moving a node with subnodes, like a departement, this will use a
 filter like member=* to get references, meaning it will open all groups
 and roles and other objects which may reference DNs to make sure the
 foreign key is applied and the new DN is stored.
This will be slow if there are a lot of those objects.
Impacted fields are member, manager, roleOccupant and owner.
This is needed because they do not allow SUBSTR searches by schema
 definition.

issue #5799
parent b02912ee
......@@ -229,6 +229,12 @@ attributetype ( 1.3.6.1.4.1.38414.8.14.7 NAME 'fdLdapSizeLimit'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE)
attributetype ( 1.3.6.1.4.1.38414.8.14.8 NAME 'fdWildcardForeignKeys'
DESC 'FusionDirectory - Weither or not to enable wildcard searches for foreign keys on dn'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
# Login and session
attributetype ( 1.3.6.1.4.1.38414.8.15.1 NAME 'fdLoginAttribute'
......@@ -548,7 +554,7 @@ objectclass ( 1.3.6.1.4.1.38414.8.2.1 NAME 'fusionDirectoryConf'
fdHandleExpiredAccounts $ fdSaslRealm $ fdSaslExop $
fdForcePasswordDefaultHash $
fdListSummary $
fdModificationDetectionAttribute $ fdLogging $ fdLdapSizeLimit $
fdModificationDetectionAttribute $ fdLogging $ fdLdapSizeLimit $ fdWildcardForeignKeys $
fdLoginAttribute $ fdForceSSL $ fdWarnSSL $ fdStoreFilterSettings $ fdSessionLifeTime $
fdHttpAuthActivated $ fdHttpHeaderAuthActivated $ fdHttpHeaderAuthHeaderName $
fdDisplayErrors $ fdLdapMaxQueryTime $ fdLdapStats $ fdDebugLevel $
......
......@@ -1563,6 +1563,13 @@ class simplePlugin
$ofield = $ref[1];
$filter = $ref[2];
$filtersub = $ref[3];
if ($filtersub == '*') {
if ($config->get_cfg_value('wildcardForeignKeys', 'TRUE') == 'TRUE') {
$filtersub = $ofield.'=*';
} else {
continue;
}
}
if ($class == 'aclAssignment') {
/* Special case: aclAssignment foreignKey is ignored on department types as it’s handled by the aclAssignment objectType */
$objectTypes = array('ACLASSIGNMENT');
......
......@@ -38,7 +38,7 @@ class country extends department
'mainAttr' => static::$namingAttr,
)),
'plForeignKeys' => array(
'manager' => 'user'
'manager' => array('user','dn','manager=%oldvalue%','*')
),
'plProvidedAcls' => parent::generatePlProvidedAcls(static::getAttributesInfo())
......
......@@ -39,7 +39,7 @@ class dcObject extends department
'mainAttr' => static::$namingAttr,
)),
'plForeignKeys' => array(
'manager' => 'user'
'manager' => array('user','dn','manager=%oldvalue%','*')
),
'plProvidedAcls' => parent::generatePlProvidedAcls(static::getAttributesInfo())
......
......@@ -45,7 +45,7 @@ class department extends simplePlugin
)
),
'plForeignKeys' => array(
'manager' => 'user'
'manager' => array('user','dn','manager=%oldvalue%','*')
),
'plProvidedAcls' => parent::generatePlProvidedAcls(static::getAttributesInfo())
......
......@@ -39,7 +39,7 @@ class domain extends department
'mainAttr' => static::$namingAttr,
)),
'plForeignKeys' => array(
'manager' => 'user'
'manager' => array('user','dn','manager=%oldvalue%','*')
),
'plProvidedAcls' => parent::generatePlProvidedAcls(static::getAttributesInfo())
......
......@@ -39,7 +39,7 @@ class locality extends department
'mainAttr' => static::$namingAttr,
)),
'plForeignKeys' => array(
'manager' => 'user'
'manager' => array('user','dn','manager=%oldvalue%','*')
),
'plProvidedAcls' => parent::generatePlProvidedAcls(static::getAttributesInfo())
......
......@@ -39,7 +39,7 @@ class organization extends department
'mainAttr' => static::$namingAttr,
)),
'plForeignKeys' => array(
'manager' => 'user'
'manager' => array('user','dn','manager=%oldvalue%','*')
),
'plProvidedAcls' => parent::generatePlProvidedAcls(static::getAttributesInfo())
......
......@@ -186,17 +186,17 @@ class ogroup extends simplePlugin
)),
'plForeignKeys' => array(
'member' => array(
array('user'),
array('ogroup'),
array('application'),
array('serverGeneric'),
array('workstationGeneric'),
array('terminalGeneric'),
array('phoneGeneric'),
array('printGeneric'),
array('user', 'dn','member=%oldvalue%','*'),
  • 🚫 Define a constant instead of duplicating this literal "member=%oldvalue%" 8 times. 📘

Please register or sign in to reply
array('ogroup', 'dn','member=%oldvalue%','*'),
array('application', 'dn','member=%oldvalue%','*'),
array('serverGeneric', 'dn','member=%oldvalue%','*'),
array('workstationGeneric', 'dn','member=%oldvalue%','*'),
array('terminalGeneric', 'dn','member=%oldvalue%','*'),
array('phoneGeneric', 'dn','member=%oldvalue%','*'),
array('printGeneric', 'dn','member=%oldvalue%','*'),
),
'owner' => array(
array('user'),
array('user','dn','owner=%oldvalue%','*')
)
),
......
......@@ -65,7 +65,7 @@ class roleGeneric extends simplePlugin
)
),
'plForeignKeys' => array(
'roleOccupant' => 'user'
'roleOccupant' => array('user','dn','roleOccupant=%oldvalue%','*')
),
'plProvidedAcls' => parent::generatePlProvidedAcls(static::getAttributesInfo())
......
......@@ -142,6 +142,11 @@ class configInLdap extends simplePlugin
'fdSnapshotBase', FALSE,
'ou=snapshots,'.$config->current['BASE']
),
new BooleanAttribute (
_('Wildcard foreign keys'), _('Enables wildcard searches like member=* when moving a whole departement. This will open all existing groups and roles to make sure foreign keys are respected. Slow on big trees.'),
'fdWildcardForeignKeys', FALSE,
TRUE
),
)
),
'password' => array(
......
......@@ -290,7 +290,7 @@ class user extends simplePlugin
'ou' => get_ou('userRDN'),
)),
'plForeignKeys' => array(
'manager' => array('user','dn')
'manager' => array('user','dn','manager=%oldvalue%','*')
),
'plProvidedAcls' => array_merge(
......
  • SonarQube analysis reported 1 issue

    • 🚫 1 critical

    Watch the comments in this conversation to review them.

Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment