Chapter 7. Managing Attributes and Values

Red Hat Directory Server provides several different mechanisms for dynamically and automatically maintaining some types of attributes on directory entries. These plug-ins and configuration options simplify managing directory data and expressing relationships between entries.
Part of the characteristic of entries are their relationships to each other. Obviously, a manager has an employee, so those two entries are related. Groups are associated with their members. There are less apparent relationships, too, like between entries which share a common physical location.
Red Hat Directory Server provides several different ways that these relationships between entries can be maintained smoothly and consistently. There are several plug-ins can apply or generate attributes automatically as part of the data within the directory, including classes of service, linking attributes, and generating unique numeric attribute values.

7.1. Enforcing Attribute Uniqueness

To ensure that the value of an attribute is unique across the directory or subtree, use the Attribute Uniqueness plug-in.
If you want multiple attributes to be unique or if you want to use different conditions, create multiple configuration records of the plug-in.

7.1.1. Creating a New Configuration Record of the Attribute Uniqueness Plug-in

For each attribute whose values must be unique, create a new configuration record of the Attribute Uniqueness plug-in.

Note

You can only create a new configuration record of the plug-in from the command line.
To create a new unconfigured and disabled configuration record of the plug-in named Example Attribute Uniqueness:
# ldapadd -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: cn=Example Attribute Uniqueness,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: Example Attribute Uniqueness
nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: betxnpreoperation
nsslapd-pluginEnabled: off
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: none
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Enforce unique attribute values
uniqueness-attribute-name: uid

7.1.2. Configuring Attribute Uniqueness over Suffixes or Subtrees

You can configure the Attribute Uniqueness plug-in to ensure that values of an attribute are unique in certain suffixes, subtrees, or over suffixes and subtrees.

7.1.2.1. Configuring Attribute Uniqueness over Suffixes or Subtrees Using the Command Line

To configure, for example, that values stored in mail attributes are unique:
  1. Create a new configuration record of the Attribute Uniqueness plug-in named, for example, mail Attribute Uniqueness. For details, see Section 7.1.1, “Creating a New Configuration Record of the Attribute Uniqueness Plug-in”.
  2. Enable the plug-in configuration record and configure that values stored in mail attributes must be unique inside, for example, the ou=Engineering,dc=example,dc=com and ou=Sales,dc=example,dc=com subtrees:
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=mail Attribute Uniqueness,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginEnabled
    nsslapd-pluginEnabled: on
    -
    add: uniqueness-attribute-name
    uniqueness-attribute-name: mail
    -
    add: uniqueness-subtrees
    uniqueness-subtrees: ou=Engineering,dc=example,dc=com
    uniqueness-subtrees: ou=Sales,dc=example,dc=com
  3. Optionally, to configure uniqueness across all subtrees configured in this plug-in configuration record:
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=mail Attribute Uniqueness,cn=plugins,cn=config
    changetype: modify
    add: uniqueness-across-all-subtrees
    uniqueness-across-all-subtrees: on
  4. Restart the instance:
    # systemctl restart dirsrv@instance_name

7.1.2.2. Configuring Attribute Uniqueness over Suffixes or Subtrees Using the Console

To configure, for example, that values stored in mail attributes are unique:
  1. Create a new configuration record of the Attribute Uniqueness plug-in. See Section 7.1.1, “Creating a New Configuration Record of the Attribute Uniqueness Plug-in”.
  2. Open the Property Editor in the plug-in configuration record's configuration. For details, see Section 1.9.3.2, “Configuring Plug-ins using the Console”.
  3. To enable the plug-in, set:
    nsslapd-pluginEnabled: on
  4. Set that the mail attribute must be unique:
    uniqueness-attribute-name: mail
  5. Set the subtrees in which the attribute's value must be unique:
    uniqueness-subtrees: ou=Engineering,dc=example,dc=com
    uniqueness-subtrees: ou=Sales,dc=example,dc=com
    Select the value field of the uniqueness-subtrees attribute and click the Add Value button to add the second uniqueness-subtrees attribute.
  6. Optionally, to configure uniqueness across all subtrees configured in this plug-in configuration record, add the uniqueness-across-all-subtrees attribute and set it to on:
    uniqueness-across-all-subtrees: on
  7. Click OK to close the Property Editor

7.1.3. Configuring Attribute Uniqueness over Object Classes

You can configure the Attribute Uniqueness plug-in to ensure that values of an attribute are unique in subtree entries that contain a specific object class. Directory Server searches for this object class in the parent entry of the updated object. If Directory Server did not find the object class, the search continues at the next higher level entry up to the root of the directory tree. If the object class was found, Directory Server verifies that the value of the attribute set in uniqueness-attribute-name is unique in this subtree.

Note

You can configure this scenario only using the command line.
To configure, for example, that values stored in mail attributes are unique under the entry that contains the nsContainer object class:
  1. Create a new configuration record of the Attribute Uniqueness plug-in named, for example, mail Attribute Uniqueness. For details, see Section 7.1.1, “Creating a New Configuration Record of the Attribute Uniqueness Plug-in”.
  2. Enable the plug-in configuration record and configure that values stored in mail attributes must be unique under the entry that contains the nsContainer object class:
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=mail Attribute Uniqueness,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginEnabled
    nsslapd-pluginEnabled: on
    -
    add: uniqueness-top-entry-oc
    uniqueness-top-entry-oc: nsContainer
  3. Optionally, you can limit the scope of objects being checked. If you want the server to check only a subset of entries under the entry that contains the nsContainer object class, set an additional object class in the uniqueness-subtree-entries-oc parameter. This additional class will also have to be present.
    For example, the mail attribute must be unique in all entries under the entry that contains the nsContainer object class set. However, you want that the plug-in only searches the mail in entries that contain a object class that provides this attribute, such as inetOrgPerson. In this situation enter:
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
    
    dn: cn=mail Attribute Uniqueness,cn=plugins,cn=config
    add: uniqueness-subtree-entries-oc
    uniqueness-subtree-entries-oc: inetOrgPerson
  4. Restart the instance:
    # systemctl restart dirsrv@instance_name

7.1.4. Attribute Uniqueness Plug-in Configuration Parameters

To configure an Attribute Uniqueness plug-in configuration record, set the plug-in's configuration attributes in the cn=attribute_uniqueness_configuration_record_name,cn=plugins,cn=config entry.
You can configure this plug-in using the new plug-in-specific attribute names (Example 7.1, “Attribute Uniqueness Plug-in Configuration Using Plug-in-specific Attributes”) or using the deprecated nsslapd-plugarg* attributes (Example 7.2, “Attribute Uniqueness Plug-in Configuration Using nsslapd-pluginarg* Attributes”).

Important

Red Hat recommends using only the plug-in-specific attribute names to configure the Attribute Uniqueness plug-in.

Example 7.1. Attribute Uniqueness Plug-in Configuration Using Plug-in-specific Attributes

dn: cn=Example Attribute Uniqueness,cn=plugins,cn=config
nsslapd-pluginEnabled: on
uniqueness-attribute-name: attribute_name
uniqueness-top-entry-oc: objectclass1 
uniqueness-subtree-entries-oc: objectclass2

Example 7.2. Attribute Uniqueness Plug-in Configuration Using nsslapd-pluginarg* Attributes

dn: cn=Example Attribute Uniqueness,cn=plugins,cn=config
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: attribute=mail
nsslapd-pluginarg1: markerObjectClass=objectclass1 
nsslapd-pluginarg2: requiredObjectClass=objectclass2

Table 7.1. Attribute Uniqueness Plug-in Configuration Parameters

Parameter New or Old Syntax Definition
cn Both Sets the name of the Attribute Uniqueness plug-in configuration record. You can use any string, but Red Hat recommends naming the configuration record attribute_name Attribute Uniqueness.
nsslapd-pluginEnabled Both Enables (on) or disables (off) the plug-in configuration record.
uniqueness-attribute-name New Sets the name of the attribute whose values must be unique. This attribute is multi-valued.
uniqueness-subtrees New Sets the DN under which the plug-in checks for uniqueness of the attribute's value. This attribute is multi-valued.
uniqueness-across-all-subtrees New If enabled (on), the plug-in checks that the attribute is unique across all subtrees set. If you set the attribute to off, uniqueness is only enforced within the subtree of the updated entry.
uniqueness-top-entry-oc New Directory Server searches this object class in the parent entry of the updated object. If it was not found, the search continues at the next higher level entry up to the root of the directory tree. If the object class was found, Directory Server verifies that the value of the attribute set in uniqueness-attribute-name is unique in this subtree.
uniqueness-subtree-entries-oc New Optionally, when using the uniqueness-top-entry-oc parameter, you can configure that the Attribute Uniqueness plug-in only verifies if an attribute is unique, if the entry contains the object class set in this parameter. For details, see Section 7.1.3, “Configuring Attribute Uniqueness over Object Classes”.
nsslapd-pluginarg0 Old
The plug-in-specific attribute equivalent of this nsslapd-pluginarg* parameter is uniqueness-attribute-name. See this parameter for a description.
Set the attribute to attribute=attribute_name.
nsslapd-pluginarg[1-9] Old
The plug-in-specific attribute equivalent of this nsslapd-pluginarg* parameter is uniqueness-top-entry-oc. See this parameter for a description.
Set the attribute to markerObjectClass=object_class.
nsslapd-pluginarg[1-9] Old
The equivalent plug-in-specific attribute is uniqueness-subtree-entries-oc. See this parameter for a description.
Set the attribute to requiredObjectClass=object_class.