Kyle Blaney wrote:
I'm using the unique overlay in OpenLDAP 2.4.16 and finding it too easy to violate the uniqueness constraints I have defined.
For example, if I have the following in my slapd.conf (taken from slapo-unique man page):
overlay unique unique_uri ldap:///?cn?sub?(sn=e*)
I can violate the uniqueness constraints as follows:
- Add an entry with cn=a and sn=e.
- Add a second entry with cn=a and sn=f.
- Modify the sn of the second entry so that sn=e.
The attribute modification succeeds but causes a violation of the uniqueness constraints.
Is there any way to configure OpenLDAP so that the attribute modification fails due to a constraint violation?
How did you configure slapo-unique(5)? Is it global, or rooted at an empty DN database? Note that it requires a rootdn to be configured for the database it's instantiated for.
According to your configuration, it is not working for a specific searchbase (the "dn" part of your URI is empty), so it might be that the identity it is running as does not have enough privileges to see the attributes it is supposed to constrain when they are across databases.
You should probably post your entire slapd.conf or back-config contents (make sure you remove sensitive information like passwords).
p.