slapo-unique — Attribute Uniqueness overlay
ETCDIR/slapd.conf
The Attribute Uniqueness overlay can be used with a backend database such as slapd-bdb(5) to enforce the uniqueness of some or all attributes within a subtree. This subtree defaults to the base DN of the database for which the Uniqueness overlay is configured.
Uniqueness is enforced by searching the subtree to ensure
that the values of all attributes presented with an
add
, modify
or modrdn
operation are unique
within the subtree. For example, if uniqueness were enforced
for the uid
attribute, the subtree would be searched for any other
records which also have a uid
attribute containing the
same value. If any are found, the request is rejected.
These slapd.conf
options apply to the Attribute Uniqueness overlay. They
should appear after the overlay
directive.
Configure the subtree against which uniqueness
searches will be invoked. The basedn
defaults to the
base DN of the database for which uniqueness is
configured.
Configure one or more attributes for which
uniqueness will not be enforced. If not configured, all
non-operational (eg, system) attributes must be unique.
Note that the unique_ignore
list
should generally contain the objectClass
, dc
, ou
and o
attributes, as these
will generally not be unique, nor are they operational
attributes.
Specify one or more attributes for which uniqueness
will be enforced. If not specified, all attributes
which are not operational (eg, system attributes such
as entryUUID )
or specified via the unique_ignore
directive
above must be unique within the subtree.
By default, uniqueness is not enforced for null
values. Enabling unique_strict
mode
extends the concept of uniqueness to include null
values, such that only one attribute within a subtree
will be allowed to have a null value.
The search key is generated with attributes that are
non-operational, not on the unique_ignore
list, and
included in the unique_attributes
list, in
that order. This makes it possible to create interesting and
unusable configurations. Usually only one of unique_ignore
or unique_attributes
should be
configured; use unique_ignore
if the majority
of attributes should be unique, and use unique_attributes
if only a
small set of attributes should be unique.
Typical attributes for the unique_ignore
directive are
intentionally not hardcoded into the overlay to allow for
maximum flexibility in meeting site-specific
requirements.