title: Referential Integrity link: https://onemoretech.wordpress.com/2007/03/26/referential-integrity/ author: lembobro description: post_id: 733 created: 2007/03/26 20:50:00 created_gmt: 2007/03/26 20:50:00 comment_status: open post_name: referential-integrity status: publish post_type: post

Referential Integrity

Referential integrity is one of those essential functions that every directory needs, but on whose implementation there is no agreement among directory product vendors. The major use of referential integrity is to make sure that the user dns listed in groups actually exist on the directory. Without referential integrity a user could be deleted but the reference to their entry in a particular group (say, “cn=Administrators”), would not. This would be characterized as “A BAD THING ™” by most directory admins.

Recognizing the need for such a feature, Netscape included a “referential integrity postoperation plugin” in all of it’s directory products from at least iPlanet 4. This plugin has survived to this day in both the latest Sun and Red Hat/Fedora Directory products (see the Red Hat Directory Administrator’s Guide). It is disabled by default, but preconfigured to check on uniquemember and member. It can be enabled and re-configured through the GUI directory console or by editing dse.ldif under the directory server root. Once enabled, the plugin is invoked whenever an entry is deleted from the directory. You do take a performance hit with this feature turned on, which is probably the reason for shipping it disabled (you wouldn’t want unnecessarily hurt benchmark performance, never mind how unreal-world the shipping configuration is — kudos to the Fedora Directory team for finally ridding their product of the allidsthreshhold).

Oracle also provides a referential integrity solution. The instructions for enabling and configuring it are contained in the Oracle Internet Directory Administrator’s Guide. The procedure detailed there steps you through the process of editing and compiling a Java object and modifying directory entries to enable the feature. It then shows how to edit a script file and run it against the underlying Oracle database. Finally, the manual recommends running the process at frequent intervals via cron or some other scheduler.

Comparing this to the Netscape/Red Hat/Fedora facility, the first word that came to mind was:

P-R-I-M-A-T-I-V-E

and really illustrates the difference in between the two product architectures. The Netscape family directories were optimized over time for use in building flexible directory services, built by directory developers and admins for directory developers and admins. The roots of the Oracle product are clearly in Oracle’s relational (object) database product. At almost every turn you can see this legacy. Having to compile some java code, edit a script file and run a PL-SQL command to enforce referential integrity is just one of the more obvious examples.

All in all, in this case Microsoft seems to outdo the field, having native referential integrity as part of the core product turned on by default.

UPDATE:

OpenLDAP, like all the commercial vendors, now offers a referential integrity solution. It’s currently implemented as an “experimental” overlay that needs to be added at compile time.

Copyright 2004-2019 Phil Lembo