2 # Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
3 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
7 Overlays are software components that provide hooks to functions analogous to
8 those provided by backends, which can be stacked on top of the backend calls
9 and as callbacks on top of backend responses to alter their behavior.
11 Overlays may be compiled statically into slapd, or when module support
12 is enabled, they may be dynamically loaded. Most of the overlays
13 are only allowed to be configured on individual databases, but some
14 may also be configured globally.
16 Essentially they represent a means to:
18 * customize the behavior of existing backends without changing the backend
19 code and without requiring one to write a new custom backend with
20 complete functionality
21 * write functionality of general usefulness that can be applied to
22 different backend types
24 Overlays are usually documented by separate specific man pages in section 5;
25 the naming convention is
27 > slapo-<overlay name>
29 Not all distributed overlays have a man page yet. Feel free to contribute one,
30 if you think you well understood the behavior of the component and the
31 implications of all the related configuration directives.
33 Official overlays are located in
35 > servers/slapd/overlays/
37 That directory also contains the file slapover.txt, which describes the
38 rationale of the overlay implementation, and may serve as guideline for the
39 development of custom overlays.
41 Contribware overlays are located in
43 > contrib/slapd-modules/<overlay name>/
45 along with other types of run-time loadable components; they are officially
46 distributed, but not maintained by the project.
48 They can be stacked on the frontend as well; this means that they can be
49 executed after a request is parsed and validated, but right before the
50 appropriate database is selected. The main purpose is to affect operations
51 regardless of the database they will be handled by, and, in some cases,
52 to influence the selection of the database by massaging the request DN.
54 All the current overlays in 2.4 are listed and described in detail in the
63 This overlay can record accesses to a given backend database on another
67 H3: Access Logging Configuration
72 The Audit Logging overlay can be used to record all changes on a given backend database to a specified log file.
76 If the need arises whereby changes need to be logged as standard LDIF, then the auditlog overlay {{B:slapo-auditlog (5)}}
77 can be used. Full examples are available in the man page {{B:slapo-auditlog (5)}}
79 H3: Audit Logging Configuration
81 If the directory is running vi {{F:slapd.d}}, then the following LDIF could be used to add the overlay to the overlay list
82 in {{B:cn=config}} and set what file the {{TERM:LDIF}} gets logged to (adjust to suit)
84 > dn: cn=module{0},cn=config
87 > olcModuleLoad: {2}auditlog.la
89 > dn: olcOverlay=auditlog,olcDatabase={1}hdb,cn=config
91 > objectClass: olcOverlayConfig
92 > objectClass: olcAuditLogConfig
93 > olcOverlay: auditlog
94 > olcAuditlogFile: /tmp/auditlog.ldif
97 In this example for testing, we are logging changes to {{F:/tmp/auditlog.ldif}}
99 A typical {{TERM:LDIF}} file created by {{B:slapo-auditlog (5)}} would look like:
101 > # add 1196797576 dc=suretecsystems,dc=com cn=admin,dc=suretecsystems,dc=com
102 > dn: dc=suretecsystems,dc=com
104 > objectClass: dcObject
105 > objectClass: organization
107 > o: Suretec Systems Ltd.
108 > structuralObjectClass: organization
109 > entryUUID: 1606f8f8-f06e-1029-8289-f0cc9d81e81a
110 > creatorsName: cn=admin,dc=suretecsystems,dc=com
111 > modifiersName: cn=admin,dc=suretecsystems,dc=com
112 > createTimestamp: 20051123130912Z
113 > modifyTimestamp: 20051123130912Z
114 > entryCSN: 20051123130912.000000Z#000001#000#000000
115 > auditContext: cn=accesslog
116 > # end add 1196797576
118 > # add 1196797577 dc=suretecsystems,dc=com cn=admin,dc=suretecsystems,dc=com
119 > dn: ou=Groups,dc=suretecsystems,dc=com
122 > objectClass: organizationalUnit
124 > structuralObjectClass: organizationalUnit
125 > entryUUID: 160aaa2a-f06e-1029-828a-f0cc9d81e81a
126 > creatorsName: cn=admin,dc=suretecsystems,dc=com
127 > modifiersName: cn=admin,dc=suretecsystems,dc=com
128 > createTimestamp: 20051123130912Z
129 > modifyTimestamp: 20051123130912Z
130 > entryCSN: 20051123130912.000000Z#000002#000#000000
131 > # end add 1196797577
139 The chain overlay provides basic chaining capability to the underlying
142 What is chaining? It indicates the capability of a DSA to follow referrals on
143 behalf of the client, so that distributed systems are viewed as a single
144 virtual DSA by clients that are otherwise unable to "chase" (i.e. follow)
145 referrals by themselves.
147 The chain overlay is built on top of the ldap backend; it is compiled by
148 default when {{B:--enable-ldap}}.
151 H3: Chaining Configuration
153 In order to demonstrate how this overlay works, we shall discuss a typical
154 scenario which might be one master server and three Syncrepl slaves.
156 On each replica, add this near the top of the file (global), before any database
160 > chain-uri "ldap://ldapmaster.example.com"
161 > chain-idassert-bind bindmethod="simple"
162 > binddn="cn=Manager,dc=example,dc=com"
163 > credentials="<secret>"
166 > chain-return-error TRUE
168 Add this below your {{syncrepl}} statement:
170 > updateref "ldap://ldapmaster.example.com/"
172 The {{B:chain-tls}} statement enables TLS from the slave to the ldap master.
173 The DITs are exactly the same between these machines, therefore whatever user
174 bound to the slave will also exist on the master. If that DN does not have
175 update privileges on the master, nothing will happen.
177 You will need to restart the slave after these changes. Then, if you are using
178 {{loglevel 256}}, you can monitor an {{ldapmodify}} on the slave and the master.
180 Now start an {{ldapmodify}} on the slave and watch the logs. You should expect
183 > Sep 6 09:27:25 slave1 slapd[29274]: conn=11 fd=31 ACCEPT from IP=143.199.102.216:45181 (IP=143.199.102.216:389)
184 > Sep 6 09:27:25 slave1 slapd[29274]: conn=11 op=0 STARTTLS
185 > Sep 6 09:27:25 slave1 slapd[29274]: conn=11 op=0 RESULT oid= err=0 text=
186 > Sep 6 09:27:25 slave1 slapd[29274]: conn=11 fd=31 TLS established tls_ssf=256 ssf=256
187 > Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=1 BIND dn="uid=user1,ou=people,dc=example,dc=com" method=128
188 > Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=1 BIND dn="uid=user1,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0
189 > Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=1 RESULT tag=97 err=0 text=
190 > Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=2 MOD dn="uid=user1,ou=People,dc=example,dc=com"
191 > Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=2 MOD attr=mail
192 > Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=2 RESULT tag=103 err=0 text=
193 > Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=3 UNBIND
194 > Sep 6 09:27:28 slave1 slapd[29274]: conn=11 fd=31 closed
195 > Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY)
196 > Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: be_search (0)
197 > Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: uid=user1,ou=People,dc=example,dc=com
198 > Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: be_modify (0)
200 And on the master you will see this:
202 > Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 PROXYAUTHZ dn="uid=user1,ou=people,dc=example,dc=com"
203 > Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 MOD dn="uid=user1,ou=People,dc=example,dc=com"
204 > Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 MOD attr=mail
205 > Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 RESULT tag=103 err=0 text=
207 Note: You can clearly see the PROXYAUTHZ line on the master, indicating the
208 proper identity assertion for the update on the master. Also note the slave
209 immediately receiving the Syncrepl update from the master.
211 H3: Handling Chaining Errors
213 By default, if chaining fails, the original referral is returned to the client
214 under the assumption that the client might want to try and follow the referral.
216 With the following directive however, if the chaining fails at the provider
217 side, the actual error is returned to the client.
219 > chain-return-error TRUE
227 This overlay enforces a regular expression constraint on all values
228 of specified attributes. It is used to enforce a more rigorous
229 syntax when the underlying attribute syntax is too general.
232 H3: Constraint Configuration
235 H2: Dynamic Directory Services
240 This overlay supports dynamic objects, which have a limited life after
241 which they expire and are automatically deleted.
244 H3: Dynamic Directory Service Configuration
252 This overlay extends the Compare operation to detect
253 members of a dynamic group. This overlay is now deprecated
254 as all of its functions are available using the
255 {{SECT:Dynamic Lists}} overlay.
258 H3: Dynamic Group Configuration
266 This overlay allows expansion of dynamic groups and lists. Instead of having the
267 group members or list attributes hard coded, this overlay allows us to define
268 an LDAP search whose results will make up the group or list.
270 H3: Dynamic List Configuration
272 This module can behave both as a dynamic list and dynamic group, depending on
273 the configuration. The syntax is as follows:
276 > dynlist-attrset <group-oc> <URL-ad> [member-ad]
278 The parameters to the {{F:dynlist-attrset}} directive have the following meaning:
279 * {{F:<group-oc>}}: specifies which object class triggers the subsequent LDAP search.
280 Whenever an entry with this object class is retrieved, the search is performed.
281 * {{F:<URL-ad>}}: is the name of the attribute which holds the search URI. It
282 has to be a subtype of {{F:labeledURI}}. The attributes and values present in
283 the search result are added to the entry unless {{F:member-ad}} is used (see
285 * {{F:member-ad}}: if present, changes the overlay behavior into a dynamic group.
286 Instead of inserting the results of the search in the entry, the distinguished name
287 of the results are added as values of this attribute.
289 Here is an example which will allow us to have an email alias which automatically
290 expands to all user's emails according to our LDAP filter:
292 In {{slapd.conf}}(5):
294 > dynlist-attrset nisMailAlias labeledURI
296 This means that whenever an entry which has the {{F:nisMailAlias}} object class is
297 retrieved, the search specified in the {{F:labeledURI}} attribute is performed.
299 Let's say we have this entry in our directory:
300 > cn=all,ou=aliases,dc=example,dc=com
302 > objectClass: nisMailAlias
303 > labeledURI: ldap:///ou=People,dc=example,dc=com?mail?one?(objectClass=inetOrgPerson)
305 If this entry is retrieved, the search specified in {{F:labeledURI}} will be
306 performed and the results will be added to the entry just as if they have always
307 been there. In this case, the search filter selects all entries directly
308 under {{F:ou=People}} that have the {{F:inetOrgPerson}} object class and retrieves
309 the {{F:mail}} attribute, if it exists.
311 This is what gets added to the entry when we have two users under {{F:ou=People}}
312 that match the filter:
313 !import "allmail-en.png"; align="center"; title="Dynamic list for email aliases"
314 FT[align="Center"] Figure X.Y: Dynamic List for all emails
316 The configuration for a dynamic group is similar. Let's see an example which would
317 automatically populate an {{F:allusers}} group with all the user accounts in the
320 In {{F:slapd.conf}}(5):
322 > dynlist-attrset groupOfNames labeledURI member
324 Let's apply it to the following entry:
325 > cn=allusers,ou=group,dc=example,dc=com
327 > objectClass: groupOfNames
328 > labeledURI: ldap:///ou=people,dc=example,dc=com??one?(objectClass=inetOrgPerson)
330 The behavior is similar to the dynamic list configuration we had before:
331 whenever an entry with the {{F:groupOfNames}} object class is retrieved, the
332 search specified in the {{F:labeledURI}} attribute is performed. But this time,
333 only the distinguished names of the results are added, and as values of the
334 {{F:member}} attribute.
337 !import "allusersgroup-en.png"; align="center"; title="Dynamic group for all users"
338 FT[align="Center"] Figure X.Y: Dynamic Group for all users
340 Note that a side effect of this scheme of dynamic groups is that the members
341 need to be specified as full DNs. So, if you are planning in using this for
342 {{F:posixGroup}}s, be sure to use RFC2307bis and some attribute which can hold
343 distinguished names. The {{F:memberUid}} attribute used in the {{F:posixGroup}}
344 object class can hold only names, not DNs, and is therefore not suitable for
347 H2: Reverse Group Membership Maintenance
351 In some scenarios, it may be desirable for a client to be able to determine
352 which groups an entry is a member of, without performing an additional search.
353 Examples of this are applications using the {{TERM:DIT}} for access control
354 based on group authorization.
356 The {{B:memberof}} overlay updates an attribute (by default {{B:memberOf}}) whenever
357 changes occur to the membership attribute (by default {{B:member}}) of entries of the
358 objectclass (by default {{B:groupOfNames}}) configured to trigger updates.
360 Thus, it provides maintenance of the list of groups an entry is a member of,
361 when usual maintenance of groups is done by modifying the members on the group
364 H3: Member Of Configuration
366 The typical use of this overlay requires just enabling the overlay for a
367 specific database. For example, with the following minimal slapd.conf:
369 > include /usr/share/openldap/schema/core.schema
370 > include /usr/share/openldap/schema/cosine.schema
371 > modulepath /usr/lib/openldap
372 > moduleload memberof.la
373 > authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
374 > "cn=Manager,dc=example,dc=com"
376 > suffix "dc=example,dc=com"
377 > rootdn "cn=Manager,dc=example,dc=com"
379 > directory /var/lib/ldap2.4
381 > index objectClass eq
386 adding the following ldif:
389 > dn: dc=example,dc=com
390 > objectclass: domain
393 > dn: ou=Group,dc=example,dc=com
394 > objectclass: organizationalUnit
397 > dn: ou=People,dc=example,dc=com
398 > objectclass: organizationalUnit
401 > dn: uid=test1,ou=People,dc=example,dc=com
402 > objectclass: account
405 > dn: cn=testgroup,ou=Group,dc=example,dc=com
406 > objectclass: groupOfNames
408 > member: uid=test1,ou=People,dc=example,dc=com
410 Results in the following output from a search on the test1 user:
412 > # ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=test1)" -b dc=example,dc=com memberOf
413 > SASL/EXTERNAL authentication started
414 > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
418 > dn: uid=test1,ou=People,dc=example,dc=com
419 > memberOf: cn=testgroup,ou=Group,dc=example,dc=com
421 Note that the {{B:memberOf}} attribute is an operational attribute, so it must be
422 requested explicitly.
425 H2: The Proxy Cache Engine
427 {{TERM:LDAP}} servers typically hold one or more subtrees of a
428 {{TERM:DIT}}. Replica (or shadow) servers hold shadow copies of
429 entries held by one or more master servers. Changes are propagated
430 from the master server to replica (slave) servers using LDAP Sync
431 replication. An LDAP cache is a special type of replica which holds
432 entries corresponding to search filters instead of subtrees.
436 The proxy cache extension of slapd is designed to improve the
437 responsiveness of the ldap and meta backends. It handles a search
439 by first determining whether it is contained in any cached search
440 filter. Contained requests are answered from the proxy cache's local
441 database. Other requests are passed on to the underlying ldap or
442 meta backend and processed as usual.
444 E.g. {{EX:(shoesize>=9)}} is contained in {{EX:(shoesize>=8)}} and
445 {{EX:(sn=Richardson)}} is contained in {{EX:(sn=Richards*)}}
447 Correct matching rules and syntaxes are used while comparing
448 assertions for query containment. To simplify the query containment
449 problem, a list of cacheable "templates" (defined below) is specified
450 at configuration time. A query is cached or answered only if it
451 belongs to one of these templates. The entries corresponding to
452 cached queries are stored in the proxy cache local database while
453 its associated meta information (filter, scope, base, attributes)
454 is stored in main memory.
456 A template is a prototype for generating LDAP search requests.
457 Templates are described by a prototype search filter and a list of
458 attributes which are required in queries generated from the template.
459 The representation for prototype filter is similar to {{REF:RFC4515}},
460 except that the assertion values are missing. Examples of prototype
461 filters are: (sn=),(&(sn=)(givenname=)) which are instantiated by
462 search filters (sn=Doe) and (&(sn=Doe)(givenname=John)) respectively.
464 The cache replacement policy removes the least recently used (LRU)
465 query and entries belonging to only that query. Queries are allowed
466 a maximum time to live (TTL) in the cache thus providing weak
467 consistency. A background task periodically checks the cache for
468 expired queries and removes them.
470 The Proxy Cache paper
471 ({{URL:http://www.openldap.org/pub/kapurva/proxycaching.pdf}}) provides
472 design and implementation details.
475 H3: Proxy Cache Configuration
477 The cache configuration specific directives described below must
478 appear after a {{EX:overlay proxycache}} directive within a
479 {{EX:"database meta"}} or {{EX:database ldap}} section of
480 the server's {{slapd.conf}}(5) file.
482 H4: Setting cache parameters
484 > proxyCache <DB> <maxentries> <nattrsets> <entrylimit> <period>
486 This directive enables proxy caching and sets general cache
487 parameters. The <DB> parameter specifies which underlying database
488 is to be used to hold cached entries. It should be set to
489 {{EX:bdb}} or {{EX:hdb}}. The <maxentries> parameter specifies the
490 total number of entries which may be held in the cache. The
491 <nattrsets> parameter specifies the total number of attribute sets
492 (as specified by the {{EX:proxyAttrSet}} directive) that may be
493 defined. The <entrylimit> parameter specifies the maximum number of
494 entries in a cacheable query. The <period> specifies the consistency
495 check period (in seconds). In each period, queries with expired
498 H4: Defining attribute sets
500 > proxyAttrset <index> <attrs...>
502 Used to associate a set of attributes to an index. Each attribute
503 set is associated with an index number from 0 to <numattrsets>-1.
504 These indices are used by the proxyTemplate directive to define
507 H4: Specifying cacheable templates
509 > proxyTemplate <prototype_string> <attrset_index> <TTL>
511 Specifies a cacheable template and the "time to live" (in sec) <TTL>
512 for queries belonging to the template. A template is described by
513 its prototype filter string and set of required attributes identified
519 An example {{slapd.conf}}(5) database section for a caching server
520 which proxies for the {{EX:"dc=example,dc=com"}} subtree held
521 at server {{EX:ldap.example.com}}.
524 > suffix "dc=example,dc=com"
525 > rootdn "dc=example,dc=com"
526 > uri ldap://ldap.example.com/
528 > proxycache bdb 100000 1 1000 100
529 > proxyAttrset 0 mail postaladdress telephonenumber
530 > proxyTemplate (sn=) 0 3600
531 > proxyTemplate (&(sn=)(givenName=)) 0 3600
532 > proxyTemplate (&(departmentNumber=)(secretary=*)) 0 3600
535 > directory ./testrun/db.2.a
536 > index objectClass eq
537 > index cn,sn,uid,mail pres,eq,sub
540 H5: Cacheable Queries
542 A LDAP search query is cacheable when its filter matches one of the
543 templates as defined in the "proxyTemplate" statements and when it references
544 only the attributes specified in the corresponding attribute set.
545 In the example above the attribute set number 0 defines that only the
546 attributes: {{EX:mail postaladdress telephonenumber}} are cached for the following
551 > Filter: (&(sn=Richard*)(givenName=jack))
552 > Attrs: mail telephoneNumber
554 is cacheable, because it matches the template {{EX:(&(sn=)(givenName=))}} and its
555 attributes are contained in proxyAttrset 0.
557 > Filter: (&(sn=Richard*)(telephoneNumber))
560 is not cacheable, because the filter does not match the template,
561 nor is the attribute givenName stored in the cache
563 > Filter: (|(sn=Richard*)(givenName=jack))
564 > Attrs: mail telephoneNumber
566 is not cacheable, because the filter does not match the template ( logical
567 OR "|" condition instead of logical AND "&" )
570 H2: Password Policies
575 This overlay provides a variety of password control mechanisms,
576 e.g. password aging, password reuse and duplication control, mandatory
577 password resets, etc.
580 H3: Password Policy Configuration
583 H2: Referential Integrity
588 This overlay can be used with a backend database such as slapd-bdb(5)
589 to maintain the cohesiveness of a schema which utilizes reference
592 Whenever a {{modrdn}} or {{delete}} is performed, that is, when an entry's DN
593 is renamed or an entry is removed, the server will search the directory for
594 references to this DN (in selected attributes: see below) and update them
595 accordingly. If it was a {{delete}} operation, the reference is deleted. If it
596 was a {{modrdn}} operation, then the reference is updated with the new DN.
598 For example, a very common administration task is to maintain group membership
599 lists, specially when users are removed from the directory. When an
600 user account is deleted or renamed, all groups this user is a member of have to be
601 updated. LDAP administrators usually have scripts for that. But we can use the
602 {{F:refint}} overlay to automate this task. In this example, if the user is
603 removed from the directory, the overlay will take care to remove the user from
604 all the groups he/she was a member of. No more scripting for this.
606 H3: Referential Integrity Configuration
608 The configuration for this overlay is as follows:
610 > refint_attributes <attribute [attribute ...]>
611 > refint_nothing <string>
613 * {{F:refint_attributes}}: this parameter specifies a space separated list of
614 attributes which will have the referential integrity maintained. When an entry is
615 removed or has its DN renamed, the server will do an internal search for any of the
616 {{F:refint_attributes}} that point to the affected DN and update them accordingly. IMPORTANT:
617 the attributes listed here must have the {{F:distinguishedName}} syntax, that is,
619 * {{F:refint_nothing}}: some times, while trying to maintain the referential
620 integrity, the server has to remove the last attribute of its kind from an
621 entry. This may be prohibited by the schema: for example, the
622 {{F:groupOfNames}} object class requires at least one member. In these cases,
623 the server will add the attribute value specified in {{F:refint_nothing}}
626 To illustrate this overlay, we will use the group membership scenario.
630 > refint_attributes member
631 > refint_nothing "cn=admin,dc=example,dc=com"
633 This configuration tells the overlay to maintain the referential integrity of the {{F:member}}
634 attribute. This attribute is used in the {{F:groupOfNames}} object class which always needs
635 a member, so we add the {{F:refint_nothing}} directive to fill in the group with a standard
636 member should all the members vanish.
638 If we have the following group membership, the refint overlay will
639 automatically remove {{F:john}} from the group if his entry is removed from the
642 !import "refint.png"; align="center"; title="Group membership"
643 FT[align="Center"] Figure X.Y: Maintaining referential integrity in groups
645 Notice that if we rename ({{F:modrdn}}) the {{F:john}} entry to, say, {{F:jsmith}}, the refint
646 overlay will also rename the reference in the {{F:member}} attribute, so the group membership
649 If we removed all users from the directory who are a member of this group, then the end result
650 would be a single member in the group: {{F:cn=admin,dc=example,dc=com}}. This is the
651 {{F:refint_nothing}} parameter kicking into action so that the schema is not violated.
658 This overlay is useful to test the behavior of clients when
659 server-generated erroneous and/or unusual responses occur.
662 H3: Return Code Configuration
670 It performs basic DN/data rewrite and
671 objectClass/attributeType mapping.
674 H3: Rewrite/Remap Configuration
682 This overlay implements the provider-side support for syncrepl
683 replication, including persistent search functionality
686 H3: Sync Provider Configuration
689 H2: Translucent Proxy
694 This overlay can be used with a backend database such as slapd-bdb (5)
695 to create a "translucent proxy".
697 Content of entries retrieved from a remote LDAP server can be partially
698 overridden by the database.
701 H3: Translucent Proxy Configuration
704 H2: Attribute Uniqueness
709 This overlay can be used with a backend database such as slapd-bdb (5)
710 to enforce the uniqueness of some or all attributes within a subtree.
713 H3: Attribute Uniqueness Configuration
721 This overlay can be used to enforce a specific order for the values
722 of an attribute when it is returned in a search.
725 H3: Value Sorting Configuration
734 H3: Example Scenarios