On Tue, Feb 06, 2024 at 12:29:37PM +0000, Norman Gray wrote:
> Greetings.
>
> How should I use the 'unique' overlay to enforce uniqueness of an
> attribute across two trees?
>
> I'd have thought that the following would work, to enforce uniqueness
> across ou=dept1 and ou=dept2, but it doesn't seem to.
>
> dn: olcOverlay=unique,olcDatabase={1}mdb,cn=config
> objectClass: olcOverlayConfig
> objectClass: olcUniqueConfig
> olcOverlay: unique
> olcUniqueURI: ldap:///ou=dept1,o=example?uidnumber?sub
> ldap:///ou=dept2,o=example?uidnumber?sub
>
> (and cf, slapd/overlays/unique.c:unique_new_domain).
>
> When I configure a server with this, and load two entities with the same
> uidNumber, the server doesn't object. I'm clearly misunderstanding
> something.
>
> The slapo-unique(5) manpage suggests that having two URIs juxtaposed
> like this is syntactically OK, but it doesn't make clear the
> semantics of this. I'd guessed that the above configuration would
> create a 'domain' which is the union of the two subtrees, but
> that doesn't seem to be the case.
Hi Norman,
you're right, the uniqueness domains aren't specified anywhere and the
overlay currently just runs through each URI independently. It also
checks that the entry matches the URI as well, so a DN like
"uid=u2,ou=dept1,o=example" is only checked against the first URI and
dept2 wouldn't be checked.
The next best thing I can see is if you create two URIs, one for each
dept2 and dept3 more or less like this:
ldap:///?uidnumber?sub?(|\
(entryDN:dnSubtreeMatch:=ou=dept1,o=example)
(entryDN:dnSubtreeMatch:=ou=dept2,o=example))
ldap:///?uidnumber?sub?(|\
(entryDN:dnSubtreeMatch:=ou=dept1,o=example)
(entryDN:dnSubtreeMatch:=ou=dept3,o=example))
That should trigger exactly as you need and cover the relevant parts of
the tree. Not sure it works when there's a lot of gluing going on but
worth a try.
Regards,
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
