referential integrity overlay

lam/HISTORY

@@ -1,4 +1,5 @@
 March 2018 6.3
+  - Server profile: added option if referential integrity overlay is active to sip cleanup actions
   - LAM Pro:
    -> Support custom structural object classes with new custom type
    -> Support dynamic lists

lam/docs/manual-sources/chapter-configuration.xml

@@ -368,24 +368,49 @@
 
         <para><emphasis role="bold">Advanced options</emphasis></para>
 
-        <para>Sometimes, you may not want to display the server address on the
-        login page. In this case you can setup a display name here (e.g.
-        "Production").</para>
+        <para>Display name: Sometimes, you may not want to display the server
+        address on the login page. In this case you can setup a display name
+        here (e.g. "Production").</para>
 
-        <para>By default LAM will not follow LDAP referrals. This is ok for
-        most installations. If you use LDAP referrals please activate the
-        referral option in advanced settings.</para>
+        <para>Follow referrals: By default LAM will not follow LDAP referrals.
+        This is ok for most installations. If you use LDAP referrals please
+        activate the referral option in advanced settings.</para>
 
-        <para>Paged results should be activated only if you encounter any
-        problems regarding size limits on Active Directory. LAM will then
-        query LDAP to return results in chunks of 999 entries.</para>
+        <para>Paged results: Paged results should be activated only if you
+        encounter any problems regarding size limits on Active Directory. LAM
+        will then query LDAP to return results in chunks of 999
+        entries.</para>
+
+        <para>Referential integrity overlay: Activate this checkbox if you
+        have any server side extension for referential integrity in place. In
+        this case the server will cleanup references to LDAP entries that are
+        deleted.</para>
+
+        <para>The following actions are skipped in this case:</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>Users: group of (unique) names: memberships are not deleted
+            when user is deleted</para>
+          </listitem>
+
+          <listitem>
+            <para>Users: organizational roles: role assignments are not
+            deleted when user is deleted</para>
+          </listitem>
+
+          <listitem>
+            <para>Groups: groupOf(Unique)Names: memberships are not deleted
+            when group is deleted</para>
+          </listitem>
+        </itemizedlist>
 
         <literallayout>
 </literallayout>
 
         <para>LAM is translated to many different languages. Here you can
         select the default language for this server profile. The language
-        setting may be overriden at the LAM login page.</para>
+        setting may be overridden at the LAM login page.</para>
 
         <para>Please also set your time zone here.</para>
 

lam/lib/modules/posixAccount.inc

@@ -904,6 +904,11 @@ class posixAccount extends baseModule implements passwordService {
 		for ($i = 0; $i < sizeof($groups); $i++) {
 			$return[$groups[$i]['dn']]['remove']['memberUid'][] = $this->attributes['uid'][0];
 		}
+		// stop here if referential integrity overlay is active
+		$config = $this->getAccountContainer()->get_type()->getTypeManager()->getConfig();
+		if ($config->isReferentialIntegrityOverlayActive()) {
+			return $return;
+		}
 		// remove from group of names
 		$dn = $this->getAccountContainer()->dn_orig;
 		$gons = searchLDAPByFilter('(|(member=' . $dn . ')(uniqueMember=' . $dn . '))', array('member', 'uniqueMember'), array('group', 'gon'));