slapo-unique(5) — Linux manual page


SLAPO-UNIQUE(5)              File Formats Manual             SLAPO-UNIQUE(5)

NAME         top

       slapo-unique - Attribute Uniqueness overlay to slapd

SYNOPSIS         top


DESCRIPTION         top

       The Attribute Uniqueness overlay can be used with a backend database
       such as slapd-mdb(5) to enforce the uniqueness of some or all
       attributes within a scope. This subtree defaults to all objects
       within the subtree of the database for which the Uniqueness overlay
       is configured.

       Uniqueness is enforced by searching the subtree to ensure that the
       values of all attributes presented with an add, modify or modrdn
       operation are unique within the scope.  For example, if uniqueness
       were enforced for the uid attribute, the subtree would be searched
       for any other records which also have a uid attribute containing the
       same value. If any are found, the request is rejected.

       The search is performed using the rootdn of the database, to avoid
       issues with ACLs preventing the overlay from seeing all of the
       relevant data. As such, the database must have a rootdn configured.


       These slapd.conf options apply to the Attribute Uniqueness overlay.
       They should appear after the overlay directive.

       unique_uri <[strict ][ignore ][serialize ]URI[URI...]...>
              Configure the base, attributes, scope, and filter for
              uniqueness checking.  Multiple URIs may be specified within a
              domain, allowing complex selections of objects.  Multiple
              unique_uri statements or olcUniqueURI attributes will create
              independent domains, each with their own independent lists of
              URIs and ignore/strict settings.

              Keywords strict, ignore, and serialize have to be enclosed in
              quotes (") together with the URI.

              The LDAP URI syntax is a subset of RFC-4516, and takes the

              ldap:///[base dn]?[attributes...]?scope[?filter]

              The base dn defaults to that of the back-end database.
              Specified base dns must be within the subtree of the back-end

              If no attributes are specified, the URI applies to all non-
              operational attributes.

              The scope component is effectively mandatory, because LDAP
              URIs default to base scope, which is not valid for uniqueness,
              because groups of one object are always unique.  Scopes of sub
              (for subtree) and one for one-level are valid.

              The filter component causes the domain to apply uniqueness
              constraints only to matching objects.  e.g.
              ldap:///?cn?sub?(sn=e*) would require unique cn attributes for
              all objects in the subtree of the back-end database whose sn
              starts with an e.

              It is possible to assert uniqueness upon all non-operational
              attributes except those listed by prepending the keyword
              ignore If not configured, all non-operational (e.g., system)
              attributes must be unique. Note that the attributes list of an
              ignore URI should generally contain the objectClass, dc, ou
              and o attributes, as these will generally not be unique, nor
              are they operational attributes.

              It is possible to set strict checking for the uniqueness
              domain by prepending the keyword strict.  By default,
              uniqueness is not enforced for null values. Enabling strict
              mode extends the concept of uniqueness to include null values,
              such that only one attribute within a subtree will be allowed
              to have a null value.  Strictness applies to all URIs within a
              uniqueness domain, but some domains may be strict while others
              are not.

              It is possible to enforce strict serialization of
              modifications by prepending the keyword serialize.  By
              default, no serialization is performed, so multiple
              modifications occurring nearly simultaneously may see
              incomplete uniqueness results.  Using serialize will force
              individual write operations to fully complete before allowing
              any others to proceed, to ensure that each operation's
              uniqueness checks are consistent.

       It is not possible to set both URIs and legacy slapo-unique
       configuration parameters simultaneously. In general, the legacy
       configuration options control pieces of a single unfiltered subtree

       unique_base <basedn>
              This legacy configuration parameter should be converted to the
              base dn component of the above unique_uri style of parameter.

       unique_ignore <attribute...>
              This legacy configuration parameter should be converted to a
              unique_uri parameter with ignore keyword as described above.

       unique_attributes <attribute...>
              This legacy configuration parameter should be converted to a
              unique_uri parameter, as described above.

       unique_strict <attribute...>
              This legacy configuration parameter should be converted to a
              strict keyword prepended to a unique_uri parameter, as
              described above.

CAVEATS         top

       unique_uri cannot be used with the old-style of configuration, and
       vice versa.  unique_uri can implement everything the older system can
       do, however.

       Typical attributes for the ignore ldap:///...  URIs are intentionally
       not hardcoded into the overlay to allow for maximum flexibility in
       meeting site-specific requirements.

       Replication and operations with the relax control are allowed to
       bypass this enforcement. It is therefore important that all servers
       accepting writes have this overlay configured in order to maintain
       uniqueness in a replicated DIT.

FILES         top

              default slapd configuration file

SEE ALSO         top

       slapd.conf(5), slapd-config(5).

COLOPHON         top

       This page is part of the OpenLDAP (an open source implementation of
       the Lightweight Directory Access Protocol) project.  Information
       about the project can be found at ⟨⟩.  If you
       have a bug report for this manual page, see
       ⟨⟩.  This page was obtained from the
       project's upstream Git repository
       ⟨⟩ on 2020-11-01.  (At
       that time, the date of the most recent commit that was found in the
       repository was 2020-10-30.)  If you discover any rendering problems
       in this HTML version of the page, or you believe there is a better or
       more up-to-date source for the page, or you have corrections or im‐
       provements to the information in this COLOPHON (which is not part of
       the original manual page), send a mail to

OpenLDAP LDVERSION               RELEASEDATE                 SLAPO-UNIQUE(5)

Pages that refer to this page: slapd.overlays(5)