8.3. Automatically Creating Dual Entries
8.3.1. About Managed Entries
posixAccount
entry) is created, a corresponding group entry (posixGroup
entry) should also be created. An instance of the Managed Entries Plug-in identifies what entry (the origin entry) triggers the plug-in to automatically generate a new entry (the managed entry).
- A definition entry, that identifies the scope of the plug-in instance and the template to use
- A template entry, that models what the final managed entry will look like
8.3.1.1. About the Instance Definition Entry
cn=plugins,cn=config
, and each unique configuration instance of the plug-in has a definition entry beneath that container.
- The search criteria to identify the origin entries (using a search scope and a search filter)
- The subtree under which to create the managed entries (the new entry location)
- The template entry to use for the managed entries

Figure 8.2. Defining Managed Entries
dn: cn=Posix User-Group,cn=Managed Entries,cn=plugins,cn=config objectclass: extensibleObject cn: Posix User-Group originScope: ou=people,dc=example,dc=com originFilter: objectclass=posixAccount managedBase: ou=groups,dc=example,dc=com managedTemplate: cn=Posix User-Group Template,ou=Templates,dc=example,dc=com
8.3.1.2. About the Template Entry
Note

Figure 8.3. Templates, Managed Entries, and Origin Entries
dn: cn=Posix User-Group Template,ou=Templates,dc=example,dc=com objectclass: mepTemplateEntry cn: Posix User-Group Template mepRDNAttr: cn mepStaticAttr: objectclass: posixGroup mepMappedAttr: cn: $cn Group Entry mepMappedAttr: gidNumber: $gidNumber mepMappedAttr: memberUid: $uid
Attr: ${cn}test
. Quoting a token value is not required if the token name is not immediately followed by a character that is valid in an attribute name, such as a space or comma. For example, $cn test
is acceptable in an attribute definition because a space character immediately follow the attribute name, but $cntest
is not valid because the Managed Entries Plug-in attempts to look for an attribute named cntest
in the origin entry. Using curly braces identifies the attribute token name.
Note
8.3.1.3. Entry Attributes Written by the Managed Entries Plug-in
dn: uid=jsmith,ou=people,dc=example,dc=com objectclass: mepOriginEntry objectclass: posixAccount ... sn: Smith mail: jsmith@example.com mepManagedEntry: cn=jsmith Posix Group,ou=groups,dc=example,dc=com
dn: cn=jsmith Posix Group,ou=groups,dc=example,dc=com objectclass: mepManagedEntry objectclass: posixGroup ... mepManagedBy: uid=jsmith,ou=people,dc=example,dc=com
8.3.1.4. Managed Entries Plug-in and Directory Server Operations
Table 8.3. Managed Entries Plug-in and Directory Server Operations
Operation | Effect by the Managed Entries Plug-in |
---|---|
Add | With every add operation, the server checks to see if the new entry is within the scope of any Managed Entries Plug-in instance. If it meets the criteria for an origin entry, then a managed entry is created and managed entry-related attributes are added to both the origin and managed entry. |
Modify |
If an origin entry is modified, it triggers the plug-in to update the managed entry. Changing a template entry, however, does not update the managed entry automatically. Any changes to the template entry are not reflected in the managed entry until after the next time the origin entry is modified.
The mapped managed attributes within a managed entry cannot be modified manually, only by the Managed Entry Plug-in. Other attributes in the managed entry (including static attributes added by the Managed Entry Plug-in) can be modified manually.
|
Delete | If an origin entry is deleted, then the Managed Entries Plug-in will also delete any managed entry associated with that entry. There are some limits on what entries can be deleted.
|
Rename | If an origin entry is renamed, then plug-in updates the corresponding managed entry. If the entry is moved out of the plug-in scope, then the managed entry is deleted, while if an entry is moved into the plug-in scope, it is treated like an add operation and a new managed entry is created. As with delete operations, there are limits on what entries can be renamed or moved.
|
Replication | The Managed Entries Plug-in operations are not initiated by replication updates. If an add or modify operation for an entry in the plug-in scope is replicated to another replica, that operation does not trigger the Managed Entries Plug-in instance on the replica to create or update an entry. The only way for updates for managed entries to be replicated is to replicate the final managed entry over to the replica. |
8.3.2. Creating the Managed Entries Template Entry
mepStaticAttr: attribute: specific_value mepMappedAttr: attribute: $token_value
mepMappedAttr: cn: Managed Group for $cn
- A mapped value use a combination of token (dynamic values) and static values, but it can only use one token per mapped attribute.
- The mapped attributes in the template use tokens, prepended by a dollar sign ($), to pull in values from the origin entry and use it in the managed entry. (If a dollar sign is actually in the managed attribute value, then the dollar sign can be escaped by using two dollar signs in a row.)
- A mapped attribute definition can be quoted with curly braces, such as
Attr: ${cn}test
. Quoting a token value is not required if the token name is not immediately followed by a character that is valid in an attribute name, such as a space or comma. For example,$cn test
is acceptable in an attribute definition because a space character immediately follow the attribute name, but$cntest
is not valid because the Managed Entries Plug-in attempts to look for an attribute namedcntest
in the origin entry. Using curly braces identifies the attribute token name. - Make sure that the values given for static and mapped attributes comply with the required attribute syntax.
Note
gidNumber
, then the mapped value should be an integer.
Table 8.4. Attributes for the Managed Entry Template
Attribute | Description |
---|---|
mepTemplateEntry (object class) | Identifies the entry as a template. |
cn | Gives the common name of the entry. |
mepMappedAttr | Contains an attribute-token pair that the plug-in uses to create an attribute in the managed entry with a value taken from the originating entry. |
mepRDNAttr | Specifies which attribute to use as the naming attribute in the managed entry. The attribute used as the RDN must be a mapped attribute for the configuration to be valid. |
mepStaticAttr | Contains an attribute-value pair that will be used, with that specified value, in the managed entry. |
dsconf plugin managed-entries template add
command to add the template entry. For example:
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin managed-entries template "cn=Posix User Template,ou=templates,dc=example,dc=com" add --rdn-attr "cn" --static-attr "objectclass: posixGroup" --mapped-attr "cn: $cn Group Entry" "gidNumber: $gidNumber" "memberUid: $uid"
8.3.3. Creating the Managed Entries Instance Definition
Note
Table 8.5. Attributes for the Managed Entries Definition Entry
Attribute Name | Description |
---|---|
originFilter | The search filter to use to search for and identify the entries within the subtree which require a managed entry. The syntax is the same as a regular search filter. |
originScope | The base subtree which contains the potential origin entries for the plug-in to monitor. |
managedTemplate | Identifies the template entry to use to create the managed entry. This entry can be located anywhere in the directory tree. |
managedBase | The subtree under which to create the managed entries. |
Note
- Create the new plug-in instance below the
cn=Managed Entries,cn=plugins,cn=config
container entry. For example:# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin managed-entries config "cn=instance,cn=Managed Entries,cn=plugins,cn=config" add --scope="ou=people,dc=example,dc=com" --filter="objectclass=posixAccount" --managed-base="ou=groups,dc=example,dc=com" --managed-template="cn=Posix User-Group Template,ou=Templates,dc=example,dc=com"
This command sets the scope and filter for the origin entry search, the location of the new managed entries, and the template entry to use. - If the Directory Server is not configured to enable dynamic plug-ins, restart the server to load the modified new plug-in instance:
# dsctl instance_name restart
8.3.4. Putting Managed Entries Plug-in Configuration in a Replicated Database
cn=plugins,cn=com
. (This is common for plug-ins which allow multiple instances.) The drawback to this is that the configuration entries in cn=plugins,cn=com
are not replicated, so the configuration has to be re-created on each Directory Server instance.
nsslapd-pluginConfigArea
attribute. This attribute to another container entry, in the main database area, which contains the plug-in instance entries. This container entry can be in a replicated database, which allows the plug-in configuration to be replicated.
- Create a container entry. For example, to create an entry that points back to the container entry, enter:
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin managed-entries set --config-area="cn=managed entries container,ou=containers,dc=example,dc=com"
- Move or create the definition (Section 8.3.3, “Creating the Managed Entries Instance Definition”) and template (Section 8.3.2, “Creating the Managed Entries Template Entry”) entries under the new container entry.