Chapter 3. Assigning and managing unique numeric attribute values
Some entry attributes require unique numeric identifiers, such as uidNumber and gidNumber. The Directory Server can generate and assign these unique numbers automatically for specified attributes using the Distributed Numeric Assignment (DNA) Plug-in.
The DNA plug-in does not guarantee attribute uniqueness. The pug-in allocates non-overlapping ranges, enabling manual assignment of numbers to managed attributes without mandating or verifying their uniqueness.
With DNA plug-in, you can effectively avoid replication conflicts. The DNA Plug-in assigns unique numbers across a single backend. For multi-supplier replication, when each supplier is running a local DNA plug-in instance, you must assign different ranges of numbers to each server. This ensures that each instance is using a truly unique set of numbers.
3.1. About Dynamic Number Assignments
The DNA plug-in assigns a range of available numbers that instance can issue. Two attributes define the range definition: the server next available number (the botton value of the range) and its maximum value (the upper value of the range). You set the initial bottom value when you configure the plug-in. Later, the plug-in udates this bottom value.
By breaking the available numbers into separate ranges on each replica, the servers can continually assign numbers without overlapping with each other.
3.1.1. Filters, searches, and target entries
The server performs a sorted search internally to verify if another server has already taken the next specified range, requiring the managed attribute to have an equality index with the proper ordering matching rule.
The DNA Plug-in is always applied to a specific area of the directory tree (the scope) and specific entry types within that subtree (the filter).
The DNA Plug-in works only on a single back end, unable to manage number assignments for multiple databases. The DNA Plug-in uses the sort control to check whether a value has been manually allocated outside of the DNA Plug-in. However, this validation using the sort control works only on a single back end.
3.1.2. Ranges and assigning numbers
The Directory Server can generate attribute values using several different methods:
- In a basic scenario, when adding a user entry to the directory with an object class that requires the unique-number attribute but doesn’t have the attribute value, it activates the DNA Plug-in to assign a value. This occurs when the DNA Plug-in is configured to assign unique values to a single attribute.
-
A simpler option entails using a magic number as a template value for the managed attribute. This magic number, which can be a number or even a word, resides outside the server’s range. The plug-in recognizes it as a signal to replace it with a newly assigned value. When an entry is added with the magic value and falls within the scope and filter of the configured DNA Plug-in, it prompts the plug-in to generate a new value. For instance, using
ldapmodify, you can add 0 as a magic number:
dn: uid=jsmith,ou=people,dc=example,dc=com changetype: add objectClass: top objectClass: person objectClass: posixAccount uid: jsmith cn: John Smith uidNumber: 0 gidNumber: 0
The DNA Plug-in only generates new, unique values. If an entry is added or modified to use a specific value for an attribute controlled by the DNA Plug-in, the plug-in will not overwrite it.
3.1.3. Multiple attributes in the same range
The DNA Plug-in can assign unique numbers to a single or multiple attribute types from a single range of unique numbers.
This offers multiple options for assigning unique numbers to attributes:
- A single number for a single attribute type from a unique range.
- The same unique number for two attributes in one entry.
- Two distinct attributes assigned distinct numbers from the same unique range.
In many cases, assigning a unique number per attribute type suffices. For instance, when assigning an employeeID to a new employee entry, it’s crucial to ensure each employee entry receives a unique employeeID.
However, in some cases, it’s useful to assign unique numbers from the same range of numbers to multiple attributes. For instance, when assigning a uidNumber and a gidNumber to a posixAccount entry, the DNA Plug-in assigns the same number to both attributes. To achieve this, pass both managed attributes to the modify operation specifying the magic value. Using ldapmodify:
# ldapmodify -D "cn=Directory Manager" -W -x dn: uid=jsmith,ou=people,dc=example,dc=com changetype: modify add: uidNumber uidNumber: 0 - add:gidNumber gidNumber: 0
When the DNA Plug-in handles multiple attributes, it can assign a unique value to only one attribute if the object class permits only one. For instance, the posixGroup object class allows gidNumber but not uidNumber. If the DNA Plug-in manages both uidNumber and gidNumber, it assigns a unique number for gidNumber from the uidNumber and gidNumber attribute range when creating a posixGroup entry. Sharing a pool for all managed attributes ensures consistent assignment of unique numbers, preventing conflicts where uidNumber and gidNumber on different entries end up with the same number from separate ranges.
If the DNA Plug-in manages multiple attributes, it assigns the same value to all of them in a single modify operation. To assign different numbers from the same range, you need to perform separate modify operations. For example, you can use ldapmodify:
# ldapmodify -D "cn=Directory Manager" -W -x dn: uid=jsmith,ou=people,dc=example,dc=com changetype: modify add: uidNumber uidNumber: 0 ^D # ldapmodify -D "cn=Directory Manager" -W -x dn: uid=jsmith,ou=people,dc=example,dc=com changetype: modify add: employeeId employeeId: magic
To assign unique numbers to multiple attributes using the DNA Plug-in, specify a unique value for each attribute that needs it. Unlike a single attribute, which doesn’t require this, multiple attributes need you to specify the unique value. In some cases, an entry won’t permit all attributes in the range, or it may allow all types but only a subset requiring a unique value.
Example 3.1. Example. DNA and Unique Bank Account Numbers
Example Bank administrator configures the DNA Plug-in to assign a shared unique number to a customer’s primaryAccount and customerID attributes.
The bank also wants to assign unique numbers for secondary accounts, distinct from primary accounts but from the same number range as the customer IDs and primary accounts. The Example Bank administrator configures the DNA Plug-in to manage the secondaryAccount attribute, added post-entry creation, after assigning unique numbers to primaryAccount and customerID. This guarantees a shared unique number for primaryAccount and customerID, with distinct and unique secondaryAccount numbers from the same range.
