X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman5%2Fslapo-unique.5;h=e5c553911ba9d495bc8958181dc037b037b2459d;hb=113538806ffcdd83da45ad39d0ab54d515ffb1ae;hp=93618b3d7af0a4414a322a7b4dd39abf1c00d835;hpb=d9958cbdbe7d0f8de7da45f114bb4131530f63d2;p=openldap diff --git a/doc/man/man5/slapo-unique.5 b/doc/man/man5/slapo-unique.5 index 93618b3d7a..e5c553911b 100644 --- a/doc/man/man5/slapo-unique.5 +++ b/doc/man/man5/slapo-unique.5 @@ -1,14 +1,14 @@ .TH SLAPO-UNIQUE 5 "RELEASEDATE" "OpenLDAP LDVERSION" -.\" Copyright 2004-2007 The OpenLDAP Foundation All Rights Reserved. +.\" Copyright 2004-2012 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .\" $OpenLDAP$ .SH NAME -slapo-unique \- Attribute Uniqueness overlay +slapo\-unique \- Attribute Uniqueness overlay to slapd .SH SYNOPSIS ETCDIR/slapd.conf .SH DESCRIPTION The Attribute Uniqueness overlay can be used with a backend database such as -.BR slapd-bdb (5) +.BR slapd\-bdb (5) to enforce the uniqueness of some or all attributes within a scope. This subtree defaults to all objects within the subtree of the database for which the Uniqueness overlay is configured. @@ -27,6 +27,10 @@ have a .B uid attribute containing the same value. If any are found, the request is rejected. +.LP +The search is performed using the rootdn of the database, to avoid issues +with ACLs preventing the overlay from seeing all of the relevant data. As +such, the database must have a rootdn configured. .SH CONFIGURATION These .B slapd.conf @@ -37,11 +41,19 @@ directive. .TP .B unique_uri <[strict ][ignore ]URI[URI...]...> Configure the base, attributes, scope, and filter for uniqueness -checking. Multiple URIs may be specified within a domain, allowing complex selections of objects. Multiple +checking. Multiple URIs may be specified within a domain, +allowing complex selections of objects. Multiple .B unique_uri statements or .B olcUniqueURI -attributes will create independent domains, each with their own independent lists of URIs and ignore/strict settings. +attributes will create independent domains, each with their own +independent lists of URIs and ignore/strict settings. + +Keywords +.B strict +and +.B ignore +have to be enclosed in quotes (") together with the URI. The LDAP URI syntax is a subset of .B RFC-4516, @@ -51,7 +63,8 @@ ldap:///[base dn]?[attributes...]?scope[?filter] The .B base dn -defaults to that of the back-end database. Specified base dns must be within the subtree of the back-end database. +defaults to that of the back-end database. +Specified base dns must be within the subtree of the back-end database. If no .B attributes @@ -82,7 +95,7 @@ starts with an e. It is possible to assert uniqueness upon all non-operational attributes except those listed by prepending the keyword .B ignore -If not configured, all non-operational (eg, system) attributes must be +If not configured, all non-operational (e.g., system) attributes must be unique. Note that the .B attributes list of an @@ -107,7 +120,9 @@ that only one attribute within a subtree will be allowed to have a null value. Strictness applies to all URIs within a uniqueness domain, but some domains may be strict while others are not. .LP -It is not possible to set both URIs and legacy slapo-unique configuration parameters simultaneously. In general, the legacy configuration options control pieces of a single unfiltered subtree domain. +It is not possible to set both URIs and legacy slapo\-unique configuration +parameters simultaneously. In general, the legacy configuration options +control pieces of a single unfiltered subtree domain. .TP .B unique_base This legacy configuration parameter should be converted to the @@ -128,7 +143,7 @@ This legacy configuration parameter should be converted to a .B unique_uri parameter, as described above. .TP -.B unique_strict +.B unique_strict This legacy configuration parameter should be converted to a .B strict keyword prepended to a @@ -145,9 +160,16 @@ Typical attributes for the .B ignore ldap:///... URIs are intentionally not hardcoded into the overlay to allow for maximum flexibility in meeting site-specific requirements. +.LP +Replication and operations with +.B manageDsaIt +control are allowed to bypass this enforcement. It is therefore important that +all servers accepting writes have this overlay configured in order to maintain +uniqueness in a replicated DIT. .SH FILES .TP ETCDIR/slapd.conf default slapd configuration file .SH SEE ALSO -.BR slapd.conf (5). +.BR slapd.conf (5), +.BR slapd\-config (5).