Search
SupportConsoleDevelopersStart a trialContact

Chapter 4. Enforcing attribute uniqueness

download PDF

To ensure that the value of an attribute is unique across the whole directory or a subtree, you can use the Attribute Uniqueness plug-in, which is disabled by default.

You can configure the plug-in to verify attribute uniqueness either of the following ways:

  • Set a list of subtrees where the plug-in must check attribute uniqueness by using the uniqueness-subtrees parameter, for example: 

    uniqueness-attribute-name: mail
uniqueness-subtrees: ou=accounting,dc=example,dc=com
uniqueness-subtrees: ou=sales,dc=example,dc=com
uniqueness-across-all-subtrees: on
uniqueness-exclude-subtrees: ou=private,ou=people,dc=example,dc=com

    For more details, see Configuring the Attribute Uniqueness plug-in over subtrees.

  • Set a parent entry object class by using the uniqueness-top-entry-oc parameter. If a parent entry of the updated entry contains this object class then the plug-in checks for the uniqueness of attributes under the parent entry subtree. For example, you can configure the plug-in the following way: 

    uniqueness-attribute-name: mail
uniqueness-top-entry-oc: nsContainer
uniqueness-subtree-entries-oc: inetOrgPerson
uniqueness-exclude-subtrees: ou=private,ou=people,dc=example,dc=com

    For more details, see Configuring the Attribute Uniqueness plug-in over object classes.

You can create multiple configuration entries of the plug-in to apply different conditions. Directory Server stores all configuration entries of the plug-in under cn=plugins,cn=config.

4.1. Configuring the Attribute Uniqueness plug-in over subtrees using the command line

You can use the dsconf utility to set the list of subtrees where the plug-in must check the attribute uniqueness. A subtree can be any entry in the directory, including a suffix.

Use the following example procedure to configure the plug-in to verify uniqueness of the mail attribute in entries under the ou=sales,dc=example,dc=com and ou=accounting,dc=example,dc=com subtrees.

Prerequisites

  • You have the Directory Manager permissions.

Procedure

  1. Create a new plug-in configuration entry: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq add "Mail Uniqueness" --attr-name mail --subtree ou=sales,dc=example,dc=com ou=accounting,dc=example,dc=com

    The command creates the cn=Mail Uniqueness,cn=plugins,cn=config configuration entry.

    Note

    You can set the plug-in to verify uniqueness of multiple attributes in one configuration entry.

  2. Optional: Configure uniqueness across all subtrees configured in this plug-in configuration entry: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq set "Mail Uniqueness" --across-all-subtrees on

    The command sets the uniqueness-across-all-subtrees plug-in configuration parameter to on. Therefore, the plug-in checks uniqueness of the mail attribute across both the ou=sales,dc=example,dc=com and ou=accounting,dc=example,dc=com subtrees. By default, the plug-in only checks uniqueness across the subtree where the entry is created or updated, which means that if you create or update an entry under ou=sales,dc=example,dc=com, the plug-in checks the mail attribute uniqueness only across this subtree.

  3. Optional: Set a subtree that the plug-in must exclude from the attribute uniqueness verification.

    For example, if you want the plug-in to skip the ou=internal,ou=sales,dc=example,dc=com subtree, you can use the ldapmodify utility to set the uniqueness-exclude-subtrees parameter: 

    # ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x

dn: cn=Mail Uniqueness,cn=plugins,cn=config
changetype: modify
add: uniqueness-exclude-subtrees
uniqueness-exclude-subtrees: ou=internal,ou=sales,dc=example,dc=com

  4. Optional: If you what the plug-in to verify uniqueness only in entries that contain a specific object class, set this object class as a value for the uniqueness-subtree-entries-oc parameter.

    For example, you want the mail attribute to be unique only in entries that contain the inetOrgPerson object class, enter: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq set "Mail Uniqueness" --subtree-entries-oc=inetOrgPerson

  5. Enable the plug-in on the server: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq enable "Mail Uniqueness"

  6. Restart the instance: 

    # dsctl instance_name restart

Verification

  • View the configuration entry details: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq show "Mail Uniqueness"

dn: cn=Mail Uniqueness,cn=plugins,cn=config
cn: Mail Uniqueness
nsslapd-plugin-depends-on-type: database
nsslapd-pluginDescription: Enforce unique attribute values
nsslapd-pluginEnabled: on
...
uniqueness-across-all-subtrees: on
uniqueness-attribute-name: mail
uniqueness-exclude-subtrees: ou=internal,ou=sales,dc=example,dc=com
uniqueness-subtree-entries-oc: inetOrgPerson
uniqueness-subtrees: ou=accounting,dc=example,dc=com
uniqueness-subtrees: ou=sales,dc=example,dc=com

Additional resources

4.2. Configuring the Attribute Uniqueness plug-in over object classes

You can configure the Attribute Uniqueness plug-in to ensure that values of an attribute are unique in entries that contain a specific object class. To configure the plug-in, you must set the following configuration parameters:

  • uniqueness-top-entry-oc. This parameter uniquely identifies a subtree under which the plug-in verifies attribute uniqueness. The plug-in verifies uniqueness only in entries those parent entries contain the specific object class you set in uniqueness-top-entry-oc. If Directory Server did not find the object class in the parent entry of the updated entry, the search continues at the next higher level entry up to the root of the directory tree.
  • uniqueness-subtree-entries-oc. This parameter identifies which entries the plug-in must check. When you set an object class in the uniqueness-subtree-entries-oc parameter, the plug-in verifies uniqueness of attributes only in updated entries that contain this specific object class.

Use the following example procedure to set the mail attribute to be unique in all entries under the entry that contains the nsContainer object class set and for the plug-in to search the mail attribute in entries that contain the inetOrgPerson object class.

Prerequisites

  • You have the Directory Manager permissions.

Procedure

  1. Create a new plug-in configuration entry: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq add "Mail Uniqueness with OC" --attr-name mail --subtree-entries-oc=inetOrgPerson --top-entry-oc=nsContainer

    The command creates the cn=Mail Uniqueness with OC,cn=plugins,cn=config entry with the configured uniqueness-top-entry-oc and uniqueness-subtree-entries-oc plug-in parameters.

  2. Optional: Set a subtree that the plug-in must exclude from the attribute uniqueness verification.

    For example, if you want the plug-in to skip the ou=internal,ou=sales,dc=example,dc=com subtree, use the ldapmodify utility to set the uniqueness-exclude-subtrees parameter: 

    # ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x

dn: cn=Mail Uniqueness with OC,cn=plugins,cn=config
changetype: modify
add: uniqueness-exclude-subtrees
uniqueness-exclude-subtrees: ou=internal,ou=sales,dc=example,dc=com

  3. Enable the plug-in on the server: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq enable "Mail Uniqueness with OC"

  4. Restart the instance: 

    # dsctl instance_name restart

Verification

  • View the configuration entry details: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq show "Mail Uniqueness with OC"

dn: cn=Mail Uniqueness with OC,cn=plugins,cn=config
cn: Mail Uniqueness with OC
nsslapd-plugin-depends-on-type: database
nsslapd-pluginDescription: none
nsslapd-pluginEnabled: on
...
uniqueness-attribute-name: mail
uniqueness-exclude-subtrees: ou=internal,ou=sales,dc=example,dc=com
uniqueness-subtree-entries-oc: inetOrgPerson
uniqueness-top-entry-oc: nsContainer

4.3. Configuring the Attribute Uniqueness plug-in using the web console

You can use the web console to configure the Attribute Uniqueness plug-in. Note that you can create different configuration entries of the plug-in to apply different conditions.

Use the following example procedure to configure the plug-in to verify uniqueness of the mail attribute in entries under the ou=sales,dc=example,dc=com and ou=accounting,dc=example,dc=com subtrees.

Prerequisites

Procedure

  1. Select the instance, where you want to configure the plug-in.
  2. Open the Plugins menu and select the Attribute Uniqueness plug-in from the list.
  3. Click Add Config button to start the configuration of a new configuration entry.
  4. Enter the name of the configuration entry in the Config Name field.
  5. Select which attributes must be unique in the Attribute Names field. The field sets the uniqueness-attribute-name attribute.

  6. Enter the subtrees under which the plug-in checks uniqueness of attributes in the Subtrees field. The field sets the uniqueness-subtrees attribute.

    By default, the plug-in checks uniqueness across only the subtree where the entry is created or updated. To check across all listed subtrees, check the Across All Subtrees checkbox that sets the uniqueness-across-all-subtrees attribute to on.

  7. Toggle the switch to the Configuration is enabled position.

  8. Click Add Config button to create the plug-in configuration entry.

    Figure 4.1. Configuration example of the Attribute Uniqueness plug-in.

    attribute uniqueness plugin
  9. Restart the instance. For more details, see Starting and stopping a Directory Server instance by using the web console.

Verification

  • Find the newly created plug-in entry in the list of configuration entries.

Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.