Red Hat SummitChapter 4. Enforcing attribute uniqueness
To ensure that the value of an attribute is unique across the whole directory or a subtree, you can use the Attribute Uniqueness plug-in, which is disabled by default.
You can configure the plug-in to verify attribute uniqueness either of the following ways:
Set a list of subtrees where the plug-in must check attribute uniqueness by using the
uniqueness-subtreesparameter, for example:uniqueness-attribute-name: mail uniqueness-subtrees: ou=accounting,dc=example,dc=com uniqueness-subtrees: ou=sales,dc=example,dc=com uniqueness-across-all-subtrees: on uniqueness-exclude-subtrees: ou=private,ou=people,dc=example,dc=com
uniqueness-attribute-name: mail uniqueness-subtrees: ou=accounting,dc=example,dc=com uniqueness-subtrees: ou=sales,dc=example,dc=com uniqueness-across-all-subtrees: on uniqueness-exclude-subtrees: ou=private,ou=people,dc=example,dc=comCopy to Clipboard Copied! Toggle word wrap Toggle overflow For more details, see Configuring the Attribute Uniqueness plug-in over subtrees.
Set a parent entry object class by using the
uniqueness-top-entry-ocparameter. If a parent entry of the updated entry contains this object class then the plug-in checks for the uniqueness of attributes under the parent entry subtree. For example, you can configure the plug-in the following way:uniqueness-attribute-name: mail uniqueness-top-entry-oc: nsContainer uniqueness-subtree-entries-oc: inetOrgPerson uniqueness-exclude-subtrees: ou=private,ou=people,dc=example,dc=com
uniqueness-attribute-name: mail uniqueness-top-entry-oc: nsContainer uniqueness-subtree-entries-oc: inetOrgPerson uniqueness-exclude-subtrees: ou=private,ou=people,dc=example,dc=comCopy to Clipboard Copied! Toggle word wrap Toggle overflow For more details, see Configuring the Attribute Uniqueness plug-in over object classes.
You can create multiple configuration entries of the plug-in to apply different conditions. Directory Server stores all configuration entries of the plug-in under cn=plugins,cn=config.
4.1. Configuring the Attribute Uniqueness plug-in over subtrees using the command line
You can use the dsconf utility to set the list of subtrees where the plug-in must check the attribute uniqueness. A subtree can be any entry in the directory, including a suffix.
Use the following example procedure to configure the plug-in to verify uniqueness of the mail attribute in entries under the ou=sales,dc=example,dc=com and ou=accounting,dc=example,dc=com subtrees.
Prerequisites
- You have the Directory Manager permissions.
Procedure
Create a new plug-in configuration entry:
dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq add "Mail Uniqueness" --attr-name mail --subtree ou=sales,dc=example,dc=com ou=accounting,dc=example,dc=com
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq add "Mail Uniqueness" --attr-name mail --subtree ou=sales,dc=example,dc=com ou=accounting,dc=example,dc=comCopy to Clipboard Copied! Toggle word wrap Toggle overflow The command creates the
cn=Mail Uniqueness,cn=plugins,cn=configconfiguration entry.NoteYou can set the plug-in to verify uniqueness of multiple attributes in one configuration entry.
Optional: Configure uniqueness across all subtrees configured in this plug-in configuration entry:
dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq set "Mail Uniqueness" --across-all-subtrees on
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq set "Mail Uniqueness" --across-all-subtrees onCopy to Clipboard Copied! Toggle word wrap Toggle overflow The command sets the
uniqueness-across-all-subtreesplug-in configuration parameter toon. Therefore, the plug-in checks uniqueness of themailattribute across both theou=sales,dc=example,dc=comandou=accounting,dc=example,dc=comsubtrees. By default, the plug-in only checks uniqueness across the subtree where the entry is created or updated, which means that if you create or update an entry underou=sales,dc=example,dc=com, the plug-in checks themailattribute uniqueness only across this subtree.Optional: Set a subtree that the plug-in must exclude from the attribute uniqueness verification.
For example, if you want the plug-in to skip the
ou=internal,ou=sales,dc=example,dc=comsubtree, you can use theldapmodifyutility to set theuniqueness-exclude-subtreesparameter:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: If you what the plug-in to verify uniqueness only in entries that contain a specific object class, set this object class as a value for the
uniqueness-subtree-entries-ocparameter.For example, you want the
mailattribute to be unique only in entries that contain theinetOrgPersonobject class, enter:dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq set "Mail Uniqueness" --subtree-entries-oc=inetOrgPerson
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq set "Mail Uniqueness" --subtree-entries-oc=inetOrgPersonCopy to Clipboard Copied! Toggle word wrap Toggle overflow Enable the plug-in on the server:
dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq enable "Mail Uniqueness"
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq enable "Mail Uniqueness"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Restart the instance:
dsctl instance_name restart
# dsctl instance_name restartCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
View the configuration entry details:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
4.2. Configuring the Attribute Uniqueness plug-in over object classes
You can configure the Attribute Uniqueness plug-in to ensure that values of an attribute are unique in entries that contain a specific object class. To configure the plug-in, you must set the following configuration parameters:
-
uniqueness-top-entry-oc. This parameter uniquely identifies a subtree under which the plug-in verifies attribute uniqueness. The plug-in verifies uniqueness only in entries those parent entries contain the specific object class you set inuniqueness-top-entry-oc. If Directory Server did not find the object class in the parent entry of the updated entry, the search continues at the next higher level entry up to the root of the directory tree. -
uniqueness-subtree-entries-oc. This parameter identifies which entries the plug-in must check. When you set an object class in theuniqueness-subtree-entries-ocparameter, the plug-in verifies uniqueness of attributes only in updated entries that contain this specific object class.
Use the following example procedure to set the mail attribute to be unique in all entries under the entry that contains the nsContainer object class set and for the plug-in to search the mail attribute in entries that contain the inetOrgPerson object class.
Prerequisites
- You have the Directory Manager permissions.
Procedure
Create a new plug-in configuration entry:
dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq add "Mail Uniqueness with OC" --attr-name mail --subtree-entries-oc=inetOrgPerson --top-entry-oc=nsContainer
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq add "Mail Uniqueness with OC" --attr-name mail --subtree-entries-oc=inetOrgPerson --top-entry-oc=nsContainerCopy to Clipboard Copied! Toggle word wrap Toggle overflow The command creates the
cn=Mail Uniqueness with OC,cn=plugins,cn=configentry with the configureduniqueness-top-entry-ocanduniqueness-subtree-entries-ocplug-in parameters.Optional: Set a subtree that the plug-in must exclude from the attribute uniqueness verification.
For example, if you want the plug-in to skip the
ou=internal,ou=sales,dc=example,dc=comsubtree, use theldapmodifyutility to set theuniqueness-exclude-subtreesparameter:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Enable the plug-in on the server:
dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq enable "Mail Uniqueness with OC"
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin attr-uniq enable "Mail Uniqueness with OC"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Restart the instance:
dsctl instance_name restart
# dsctl instance_name restartCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
View the configuration entry details:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
4.3. Configuring the Attribute Uniqueness plug-in using the web console
You can use the web console to configure the Attribute Uniqueness plug-in. Note that you can create different configuration entries of the plug-in to apply different conditions.
Use the following example procedure to configure the plug-in to verify uniqueness of the mail attribute in entries under the ou=sales,dc=example,dc=com and ou=accounting,dc=example,dc=com subtrees.
Prerequisites
- You have the Directory Manager permissions.
- You are logged in to the web console. For more details, see Logging in to the Directory Server by using the web console.
Procedure
- Select the instance, where you want to configure the plug-in.
- Open the Plugins menu and select the Attribute Uniqueness plug-in from the list.
- Click button to start the configuration of a new configuration entry.
- Enter the name of the configuration entry in the Config Name field.
-
Select which attributes must be unique in the Attribute Names field. The field sets the
uniqueness-attribute-nameattribute. Enter the subtrees under which the plug-in checks uniqueness of attributes in the Subtrees field. The field sets the
uniqueness-subtreesattribute.By default, the plug-in checks uniqueness across only the subtree where the entry is created or updated. To check across all listed subtrees, check the checkbox that sets the
uniqueness-across-all-subtreesattribute toon.-
Toggle the switch to the
Configuration is enabledposition. Click button to create the plug-in configuration entry.
Figure 4.1. Configuration example of the Attribute Uniqueness plug-in.
- Restart the instance. For more details, see Starting and stopping a Directory Server instance by using the web console.
Verification
- Find the newly created plug-in entry in the list of configuration entries.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}