Full_Name: Kartik Subbarao Version: 2.4.23 OS: Debian Linux 5.0.5 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (76.99.175.5)

I have the uniqueness overlay configured as follows in slapd.conf:

overlay unique unique_uri ldap:///?gidNumber?sub?(objectClass=posixGroup)

The policy I want to enforce is that all posixGroup entries must have a unique gidNumber attribute. At the same time, I want to *allow* non-posixGroup entries (such as inetOrgPerson) to have the same gidNumber attribute that a posixGroup entry has. This is so that a user can have a login group id set to that of an existing group.

With the above configuration in place, if I create a posixGroup entry with gidNumber 389, and then try to add a gidNumber attribute of 389 to an inetOrgPerson entry, the operation fails with a constraint error "some attributes not unique".

As I read the manpage for slapo-unique, the unique_uri filter seems to support the functionality that I want:

===== The filter component causes the domain to apply uniqueness constraints only to matching objects. e.g. ldap:///?cn?sub?(sn=e*) would require unique cn attributes for all objects in the subtree of the back-end database whose sn starts with an e. =====

I'm inferring from this that uniqueness constraints on the cn attribute would *not* be applied to objects that don't match the filter. But that doesn't seem to be happening here. Is this a bug in the uniqueness overlay or am I not understanding the implementation?