From 6a96c259696ed3934de4aa7c139a7e9e3aa839b1 Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Fri, 03 Apr 2026 10:15:50 +0000
Subject: [PATCH] Fix ReferentialIntegrityPlugin silently bypassing check-references on modify operations (#600)

---
 opendj-server-legacy/src/main/java/org/opends/server/plugins/ReferentialIntegrityPlugin.java |   33 +++++++++++++++++++++++++++------
 1 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/opendj-server-legacy/src/main/java/org/opends/server/plugins/ReferentialIntegrityPlugin.java b/opendj-server-legacy/src/main/java/org/opends/server/plugins/ReferentialIntegrityPlugin.java
index c5b74a0..0413aa9 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/plugins/ReferentialIntegrityPlugin.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/plugins/ReferentialIntegrityPlugin.java
@@ -14,6 +14,7 @@
  * Copyright 2008-2010 Sun Microsystems, Inc.
  * Portions Copyright 2011-2016 ForgeRock AS.
  * Portions copyright 2011 profiq s.r.o.
+ * Portions copyright 2026 3A Systems, LLC.
  */
 package org.opends.server.plugins;
 
@@ -991,10 +992,9 @@
     }
 
     final List<Modification> mods = modifyOperation.getModifications();
-    final Entry entry = modifyOperation.getModifiedEntry();
 
     /* Make sure the entry belongs to one of the configured naming contexts. */
-    DN entryDN = entry.getName();
+    DN entryDN = modifyOperation.getEntryDN();
     DN entryBaseDN = getEntryBaseDN(entryDN);
     if (entryBaseDN == null)
     {
@@ -1009,14 +1009,35 @@
       if (modType != ModificationType.ADD
           && modType != ModificationType.REPLACE)
       {
-        break;
+        continue;
       }
 
-      Attribute modifiedAttribute = entry.getAttribute(mod.getAttribute().getAttributeDescription());
-      if (modifiedAttribute != null)
+      Attribute modifiedAttribute = mod.getAttribute();
+      if (modifiedAttribute != null && !modifiedAttribute.isEmpty())
       {
+        // Only enforce referential integrity on attributes that this plugin is configured to manage.
+        final AttributeType modifiedAttrType = modifiedAttribute.getAttributeDescription().getAttributeType();
+        boolean isManagedAttributeType = false;
+        if (modifiedAttrType != null && attributeTypes != null)
+        {
+          for (AttributeType configuredType : attributeTypes)
+          {
+            if (modifiedAttrType.equals(configuredType)
+                || modifiedAttrType.isSubTypeOf(configuredType))
+            {
+              isManagedAttributeType = true;
+              break;
+            }
+          }
+        }
+
+        if (!isManagedAttributeType)
+        {
+          // Skip integrity checks for attributes not configured for this plugin.
+          continue;
+        }
         PluginResult.PreOperation result =
-        isIntegrityMaintained(modifiedAttribute, entryDN, entryBaseDN);
+            isIntegrityMaintained(modifiedAttribute, entryDN, entryBaseDN);
         if (result.getResultCode() != ResultCode.SUCCESS)
         {
           return result;

--
Gitblit v1.10.0