From 9fa3637dcddbf1d3de8a098fb416d62837b58f5a Mon Sep 17 00:00:00 2001 From: Gavin Henry Date: Mon, 24 Nov 2008 17:29:53 +0000 Subject: [PATCH] Unique overlay example. Only rwm left to do. --- doc/guide/admin/aspell.en.pws | 95 +++++++++++++++++++---------------- doc/guide/admin/overlays.sdf | 50 +++++++++++++++++- 2 files changed, 100 insertions(+), 45 deletions(-) diff --git a/doc/guide/admin/aspell.en.pws b/doc/guide/admin/aspell.en.pws index 327032544b..fc9a55a0b0 100644 --- a/doc/guide/admin/aspell.en.pws +++ b/doc/guide/admin/aspell.en.pws @@ -1,4 +1,4 @@ -personal_ws-1.1 en 1675 +personal_ws-1.1 en 1682 commonName bla Masarati @@ -6,8 +6,8 @@ subjectAltName api usnCreated BhY -olcSyncRepl olcSyncrepl +olcSyncRepl adamsom adamson CER @@ -26,6 +26,7 @@ BNF TLSEphemeralDHParamFile ppolicy ASN +gavin ava Chu del @@ -39,8 +40,8 @@ DIB dev reqNewSuperior librewrite -memberof memberOf +memberof BSI updateref buf @@ -91,8 +92,8 @@ dlopen eng AttributeValue attributevalue -DUA EOF +DUA inputfile DSP refreshDone @@ -128,10 +129,10 @@ iff contextCSN auditModify auditSearch -OpenLDAP openldap -resultcode +OpenLDAP resultCode +resultcode sysconfig indices blen @@ -171,13 +172,13 @@ argv kdz notAllowedOnRDN hostport -StartTLS starttls +StartTLS ldb servercredp ldd -IPv ipv +IPv hyc joe bindmethods @@ -209,8 +210,8 @@ libpath acknowledgements jts createTimestamp -MIB LLL +MIB OpenSSL openssl LOF @@ -250,10 +251,10 @@ Subbarao aeeiib oidlen submatches -PEM olc -OLF +PEM PDU +OLF LDAPSchemaExtensionItem auth Pierangelo @@ -269,10 +270,11 @@ cleartext numattrsets requestDN caseExactSubstringsMatch -NSS PKI +NSS olcSyncProvConfig ple +jones NTP auditModRDN checkpointing @@ -293,9 +295,9 @@ rdn wZFQrDD OTP olcSizeLimit -PRD -sbi pos +sbi +PRD pre sudoadm stringal @@ -315,8 +317,8 @@ bvec HtZhZS TBC stringbv -SHA Sep +SHA ptr conn pwd @@ -333,8 +335,8 @@ myOID supportedSASLMechanism supportedSASLmechanism realnamingcontext -UCD SMD +UCD keytab portnumber uncached @@ -347,8 +349,8 @@ sasldb UCS searchDN keytbl -UDP tgz +UDP freemods prepend nssov @@ -366,22 +368,23 @@ crit objectClassViolation ssf ldapfilter -vec -TOC rwm +TOC +vec pwdChangedTime tls peernamestyle xpasswd -SRP tmp +SRP SSL dupbv CPUs +itsupport SRV entrymods -sss rwx +sss reqNewRDN nopresent rebindproc @@ -444,8 +447,8 @@ pseudorootdn MezRroT GDBM LIBRELEASE -DSA's DSAs +DSA's realloc booleanMatch compareTrue @@ -505,8 +508,8 @@ pwdMinLength iZ ldapdelete xyz -rdbms RDBMs +rdbms extparam mk ng @@ -571,8 +574,8 @@ ZZ LDVERSION testAttr backend -backends backend's +backends BerValues Solaris structs @@ -584,9 +587,9 @@ ostring policyDN testObject pwdMaxAge -binddn -bindDN bindDn +bindDN +binddn distributedOperation schemachecking strvals @@ -606,8 +609,8 @@ UMLDAP searchResultDone MAXLEN pwdInHistory -reqAttrsOnly realtime +reqAttrsOnly sysconfdir searchResultReference olcAttributeTypes @@ -624,20 +627,21 @@ dynstyle bindpw AUTHNAME UniqueName +blahblah saslmech pthreads IEEE regex SIGINT slappasswd -errABsObject errAbsObject +errABsObject ldapexop -objectIdentifier objectidentifier +objectIdentifier deallocators -mirrormode MirrorMode +mirrormode loopDetect SIGHUP authMethodNotSupported @@ -654,8 +658,8 @@ filtercomp expr syntaxes memrealloc -returncode returnCode +returncode OpenLDAP's exts bitstringa @@ -679,8 +683,8 @@ lastName lldap cachesize slapauth -attributeType attributetype +attributeType GSER olcDbNosync typedef @@ -697,11 +701,12 @@ monitoredObject TLSVerifyClient noidlen LDAPNOINIT -pwdGraceAuthnLimit +henry pwdGraceAuthNLimit +pwdGraceAuthnLimit hnPk -userpassword userPassword +userpassword noanonymous LIBVERSION symas @@ -720,9 +725,9 @@ IMAP organisations rewriteMap monitoredInfo -modrDN -ModRDN modrdn +ModRDN +modrDN HREF DQTxCYEApdUtNXGgdUac inline @@ -737,8 +742,8 @@ reqReferral rlookups siiiib LTSTATIC -timelimitExceeded timeLimitExceeded +timelimitExceeded XKYnrjvGT subtrees unixODBC @@ -750,8 +755,8 @@ reqDN dnstyle inet schemas -pwdPolicySubentry pwdPolicySubEntry +pwdPolicySubentry reqId backsql scanf @@ -780,6 +785,7 @@ html GCmfuqEvm multimaster testrun +olcUniqueURI rewriteEngine slapdindex LTFINISH @@ -1090,8 +1096,8 @@ noop errObject XXLIBS reqAssertion -nops PDUs +nops baseObject bvecadd perl @@ -1504,6 +1510,7 @@ URL's urls olcAuditLogConfig reqMod +joebloggs pwdHistory entryTtl olcIdleTimeout @@ -1599,12 +1606,12 @@ jpegPhoto supportedSASLMechanisms ACLs reqMethod -authzId -authzid authzID +authzid +authzId hasSubordintes -proxyCache proxycache +proxyCache slaptest olcLogLevel LDAPDN @@ -1629,8 +1636,8 @@ wBDARESEhgVG multi aaa ldaprc -UpdateDN updatedn +UpdateDN LDAPBASE LDAPAPIFeatureInfo authzTo @@ -1671,6 +1678,6 @@ ali attributeoptions BfQ uidNumber -CA's CAs +CA's namingContext diff --git a/doc/guide/admin/overlays.sdf b/doc/guide/admin/overlays.sdf index c6078f7ddb..7e10acbcfa 100644 --- a/doc/guide/admin/overlays.sdf +++ b/doc/guide/admin/overlays.sdf @@ -1268,12 +1268,60 @@ H2: Attribute Uniqueness H3: Overview -This overlay can be used with a backend database such as slapd-bdb (5) +This overlay can be used with a backend database such as {{slapd-bdb(5)}} to enforce the uniqueness of some or all attributes within a subtree. H3: Attribute Uniqueness Configuration +This overlay is only effective on new data from the point the overlay is enabled. To +check uniqueness for existing data, you can export and import your data again via the +LDAP Add operation, which will not be suitable for large amounts of data, unlike {{B:slapcat}}. + +For the following example, if uniqueness were enforced for the {{B:mail}} attribute, +the subtree would be searched for any other records which also have a {{B:mail}} attribute +containing the same value presented with an {{B:add}}, {{B:modify}} or {{B:modrdn}} operation +which are unique within the configured scope. If any are found, the request is rejected. + +Note: If no attributes are specified, for example {{B:ldap:///??sub?}}, then the URI applies to all non-operational attributes. However, +the keyword {{B:ignore}} can be specified to exclude certain non-operational attributes. + +To search at the base dn of the current backend database ensuring uniqueness of the {{B:mail}} +attribute, we simply do: + +> overlay unique +> unique_uri ldap:///?mail?sub? + +For an existing entry of: + +> dn: cn=gavin,dc=suretecsystems,dc=com +> objectClass: top +> objectClass: inetorgperson +> cn: gavin +> sn: henry +> mail: ghenry@suretecsystems.com + +and we then try to add a new entry of: + +> dn: cn=robert,dc=suretecsystems,dc=com +> objectClass: top +> objectClass: inetorgperson +> cn: robert +> sn: jones +> mail: ghenry@suretecsystems.com + +would result in an error like so: + +> adding new entry "cn=robert,dc=example,dc=com" +> ldap_add: Constraint violation (19) +> additional info: some attributes not unique + +The overlay can have multiple URIs specified within a domain, allowing complex +selections of objects and also have multiple {{B:unique_uri}} statements or +{{B:olcUniqueURI}} attributes which will create independent domains. + +For more information and details about the {{B:strict}} and {{B:ignore}} keywords, +please see the {{:slapo-unique(5)}} man page. H3: Further Information -- 2.39.5