1

I am using OpenLDAP as LDAP server and UnboundID to interact with it through Java code. I need to handle the removal of a certain instance X of a Entity A on which several other instances Y1, .. Yn of an Entity B are logically linked. This means that I first need to remove all the instances of B (Y1, ... Yn) and after this I want to also remove X. I want to be able to use a transaction to do that, in order to abort the transaction if something goes wrong while removing one of Y1,..Yn and have the possibility to rollback. I tried following the following example:

https://www.unboundid.com/products/ldap-sdk/docs/javadoc/com/unboundid/ldap/sdk/extensions/StartTransactionExtendedRequest.html

What I got though, is an LDAPException saying that the extended operation is unsopported. How can I handle transactions? I think that OpenLDAP does support transactions...

Terry Gardner
  • 10,957
  • 2
  • 28
  • 38
Raffo
  • 1,642
  • 6
  • 24
  • 41

2 Answers2

3

I'm not really up to date with the latest on OpenLDAP, but the last I heard was that OpenLDAP had not yet added support for LDAP transactions as described in RFC 5805. However, you should be able to check this by looking at the OpenLDAP root DSE. In the UnboundID LDAP SDK for Java, you can do that with code like:

 RootDSE rootDSE = ldapConnection.getRootDSE();
 boolean supportsTransactions = rootDSE.supportsExtendedOperation(
      StartTransactionExtendedRequest.START_TRANSACTION_REQUEST_OID);

If the OpenLDAP server doesn't yet support transactions, then there may not be anything you can do to make it really atomic and able to roll back if a problem is encountered. If OpenLDAP supports the experimental LDAP no-operation control (and I think that it does), then you could use the com.unboundid.ldap.sdk.experimental.DraftZeilengaLDAPNoOp12RequestControl class to include that in delete requests to see if the server would accept deleting all of the entries, and then only go ahead with the delete if it looks like they will all be successful. Otherwise, you could keep a log in your application so that in the event of a failure you could report what was deleted and what wasn't.

Neil

Neil Wilson
  • 1,706
  • 8
  • 4
  • I tried with the DraftZeilengaLDAPNoOp12RequestControl, but I got the error: resultCode=12 (unavailable critical extension), errorMessage='critical extension is not recognized'... I think it is not supported, I'll have to stick with the "manual" log based solution. – Raffo Jul 06 '12 at 08:21
1

You shouldn't have to do this sort of thing at all. The OpenLDAP 'refint' referential integrity module can do the secondary deletions for you if you tell it to maintain referential integrity on those attributes, so all you have to do is the primary delete.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • So, using the "refint" referential integrity module I can avoid the secondary deletions and, most of all, be sure that if the primary delete is executed all the relative ones will be executed? – Raffo Jul 09 '12 at 08:47
  • BTW, I checked the refint module and I found that it doesn't solve the problem. In fact, if I remove one entry the refint module can update the field in the entry that refer to the entry removed, but this is not enough to implement the behaviour I was looking for. In particular, it doesn't seem possible to me to remove N entries in cascade as a consequence of the removal of another entry. – Raffo Jul 10 '12 at 10:06
  • @Raffo So you want to remove the referring entries themselves? – user207421 Jul 10 '12 at 10:09
  • Yes, that's the idea. I have one entry (X) and the removal of this entry should remove all the "linked" entries (Yi). In particular, X represents a user of the system and Yi are user accounts, and I need to handle the operation during which an account relevant to the user is removed... – Raffo Jul 10 '12 at 10:14
  • 1
    @Raffo You're out of luck. OpenLDAP does not support transactions until version 2.5, see the [Roadmap](http://www.openldap.org/software/roadmap.html). – user207421 Jul 11 '12 at 01:12