Show Table of Contents
Chapter 7. Managing Attributes and Values
Red Hat Directory Server provides several different mechanisms for dynamically and automatically maintaining some types of attributes on directory entries. These plug-ins and configuration options simplify managing directory data and expressing relationships between entries.
Part of the characteristic of entries are their relationships to each other. Obviously, a manager has an employee, so those two entries are related. Groups are associated with their members. There are less apparent relationships, too, like between entries which share a common physical location.
Red Hat Directory Server provides several different ways that these relationships between entries can be maintained smoothly and consistently. There are several plug-ins can apply or generate attributes automatically as part of the data within the directory, including classes of service, linking attributes, and generating unique numeric attribute values.
7.1. Enforcing Attribute Uniqueness
To ensure that the value of an attribute is unique across the directory or subtree, use the Attribute Uniqueness plug-in.
If you want multiple attributes to be unique or if you want to use different conditions, create multiple configuration records of the plug-in.
7.1.1. Creating a New Configuration Record of the Attribute Uniqueness Plug-in
For each attribute whose values must be unique, create a new configuration record of the Attribute Uniqueness plug-in.
Note
You can only create a new configuration record of the plug-in from the command line.
To create a new unconfigured and disabled configuration record of the plug-in named
Example Attribute Uniqueness:
# ldapadd -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=Example Attribute Uniqueness,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Example Attribute Uniqueness nsslapd-pluginPath: libattr-unique-plugin nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: betxnpreoperation nsslapd-pluginEnabled: off nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: none nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: Enforce unique attribute values uniqueness-attribute-name: uid
7.1.2. Configuring Attribute Uniqueness over Suffixes or Subtrees
You can configure the Attribute Uniqueness plug-in to ensure that values of an attribute are unique in certain suffixes, subtrees, or over suffixes and subtrees.
7.1.2.1. Configuring Attribute Uniqueness over Suffixes or Subtrees Using the Command Line
To configure, for example, that values stored in
mail attributes are unique:
- Create a new configuration record of the Attribute Uniqueness plug-in named, for example,
mail Attribute Uniqueness. For details, see Section 7.1.1, “Creating a New Configuration Record of the Attribute Uniqueness Plug-in”. - Enable the plug-in configuration record and configure that values stored in
mailattributes must be unique inside, for example, theou=Engineering,dc=example,dc=comandou=Sales,dc=example,dc=comsubtrees:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=mail Attribute Uniqueness,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on - add: uniqueness-attribute-name uniqueness-attribute-name: mail - add: uniqueness-subtrees uniqueness-subtrees: ou=Engineering,dc=example,dc=com uniqueness-subtrees: ou=Sales,dc=example,dc=com
- Optionally, to configure uniqueness across all subtrees configured in this plug-in configuration record:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=mail Attribute Uniqueness,cn=plugins,cn=config changetype: modify add: uniqueness-across-all-subtrees uniqueness-across-all-subtrees: on
- Restart the instance:
# systemctl restart dirsrv@instance_name
7.1.2.2. Configuring Attribute Uniqueness over Suffixes or Subtrees Using the Console
To configure, for example, that values stored in
mail attributes are unique:
- Create a new configuration record of the Attribute Uniqueness plug-in. See Section 7.1.1, “Creating a New Configuration Record of the Attribute Uniqueness Plug-in”.
- Open the Property Editor in the plug-in configuration record's configuration. For details, see Section 1.9.3.2, “Configuring Plug-ins using the Console”.
- To enable the plug-in, set:
nsslapd-pluginEnabled: on
- Set that the
mailattribute must be unique:uniqueness-attribute-name: mail
- Set the subtrees in which the attribute's value must be unique:
uniqueness-subtrees: ou=Engineering,dc=example,dc=com uniqueness-subtrees: ou=Sales,dc=example,dc=com
Select the value field of theuniqueness-subtreesattribute and click the button to add the seconduniqueness-subtreesattribute. - Optionally, to configure uniqueness across all subtrees configured in this plug-in configuration record, add the
uniqueness-across-all-subtreesattribute and set it toon:uniqueness-across-all-subtrees: on
- Click to close the Property Editor
- Restart the Directory Server instance. See Section 1.4.2, “Starting and Stopping a Directory Server Instance Using the Console”.
7.1.3. Configuring Attribute Uniqueness over Object Classes
You can configure the Attribute Uniqueness plug-in to ensure that values of an attribute are unique in subtree entries that contain a specific object class. Directory Server searches for this object class in the parent entry of the updated object. If Directory Server did not find the object class, the search continues at the next higher level entry up to the root of the directory tree. If the object class was found, Directory Server verifies that the value of the attribute set in
uniqueness-attribute-name is unique in this subtree.
Note
You can configure this scenario only using the command line.
To configure, for example, that values stored in
mail attributes are unique under the entry that contains the nsContainer object class:
- Create a new configuration record of the Attribute Uniqueness plug-in named, for example,
mail Attribute Uniqueness. For details, see Section 7.1.1, “Creating a New Configuration Record of the Attribute Uniqueness Plug-in”. - Enable the plug-in configuration record and configure that values stored in
mailattributes must be unique under the entry that contains thensContainerobject class:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=mail Attribute Uniqueness,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on - add: uniqueness-top-entry-oc uniqueness-top-entry-oc: nsContainer
- Optionally, you can limit the scope of objects being checked. If you want the server to check only a subset of entries under the entry that contains the
nsContainerobject class, set an additional object class in theuniqueness-subtree-entries-ocparameter. This additional class will also have to be present.For example, themailattribute must be unique in all entries under the entry that contains thensContainerobject class set. However, you want that the plug-in only searches themailin entries that contain a object class that provides this attribute, such asinetOrgPerson. In this situation enter:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=mail Attribute Uniqueness,cn=plugins,cn=config add: uniqueness-subtree-entries-oc uniqueness-subtree-entries-oc: inetOrgPerson
- Restart the instance:
# systemctl restart dirsrv@instance_name
7.1.4. Attribute Uniqueness Plug-in Configuration Parameters
To configure an Attribute Uniqueness plug-in configuration record, set the plug-in's configuration attributes in the
cn=attribute_uniqueness_configuration_record_name,cn=plugins,cn=config entry.
You can configure this plug-in using the new plug-in-specific attribute names (Example 7.1, “Attribute Uniqueness Plug-in Configuration Using Plug-in-specific Attributes”) or using the deprecated
nsslapd-plugarg* attributes (Example 7.2, “Attribute Uniqueness Plug-in Configuration Using nsslapd-pluginarg* Attributes”).
Important
Red Hat recommends using only the plug-in-specific attribute names to configure the Attribute Uniqueness plug-in.
Example 7.1. Attribute Uniqueness Plug-in Configuration Using Plug-in-specific Attributes
dn: cn=Example Attribute Uniqueness,cn=plugins,cn=config nsslapd-pluginEnabled: on uniqueness-attribute-name: attribute_name uniqueness-top-entry-oc: objectclass1 uniqueness-subtree-entries-oc: objectclass2
Example 7.2. Attribute Uniqueness Plug-in Configuration Using nsslapd-pluginarg* Attributes
dn: cn=Example Attribute Uniqueness,cn=plugins,cn=config nsslapd-pluginEnabled: on nsslapd-pluginarg0: attribute=mail nsslapd-pluginarg1: markerObjectClass=objectclass1 nsslapd-pluginarg2: requiredObjectClass=objectclass2
Table 7.1. Attribute Uniqueness Plug-in Configuration Parameters
| Parameter | New or Old Syntax | Definition |
|---|---|---|
cn | Both | Sets the name of the Attribute Uniqueness plug-in configuration record. You can use any string, but Red Hat recommends naming the configuration record attribute_name Attribute Uniqueness. |
nsslapd-pluginEnabled | Both | Enables (on) or disables (off) the plug-in configuration record. |
uniqueness-attribute-name | New | Sets the name of the attribute whose values must be unique. This attribute is multi-valued. |
uniqueness-subtrees | New | Sets the DN under which the plug-in checks for uniqueness of the attribute's value. This attribute is multi-valued. |
uniqueness-across-all-subtrees | New | If enabled (on), the plug-in checks that the attribute is unique across all subtrees set. If you set the attribute to off, uniqueness is only enforced within the subtree of the updated entry. |
uniqueness-top-entry-oc | New | Directory Server searches this object class in the parent entry of the updated object. If it was not found, the search continues at the next higher level entry up to the root of the directory tree. If the object class was found, Directory Server verifies that the value of the attribute set in uniqueness-attribute-name is unique in this subtree. |
uniqueness-subtree-entries-oc | New | Optionally, when using the uniqueness-top-entry-oc parameter, you can configure that the Attribute Uniqueness plug-in only verifies if an attribute is unique, if the entry contains the object class set in this parameter. For details, see Section 7.1.3, “Configuring Attribute Uniqueness over Object Classes”. |
nsslapd-pluginarg0 | Old |
The plug-in-specific attribute equivalent of this
nsslapd-pluginarg* parameter is uniqueness-attribute-name. See this parameter for a description.
Set the attribute to
attribute=attribute_name.
|
nsslapd-pluginarg[1-9] | Old |
The plug-in-specific attribute equivalent of this
nsslapd-pluginarg* parameter is uniqueness-top-entry-oc. See this parameter for a description.
Set the attribute to
markerObjectClass=object_class.
|
nsslapd-pluginarg[1-9] | Old |
The equivalent plug-in-specific attribute is
uniqueness-subtree-entries-oc. See this parameter for a description.
Set the attribute to
requiredObjectClass=object_class.
|
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.