Pierangelo, Thanks for your help so far. In attempting to reproduce my problem with a minimal slapd.conf that I could post, I am now encountering a slightly different problem related to the unique overlay. In particular, I get an LDAP constraint violation when attempting to add an entry that should be allowed. Here's my complete slapd.conf: ucdata-path data include schema/core.schema include schema/cosine.schema include schema/inetorgperson.schema include schema/nortel.schema backend bdb database bdb overlay unique unique_uri ldap:///?uid?sub?(sn=e*) suffix "dc=Nortel,dc=com" rootdn "cn=Administrator,dc=Nortel,dc=com" rootpw adminpwd directory data index sn eq,sub index cn eq,sub Here are the steps to reproduce my current problem (all modifications are made using the configured rootdn): 1. Add an entry with uid=a and sn=e. 2. Add a second entry with uid=a and sn=f. The second entry is not added. Instead, OpenLDAP returns error code 19 (constraint violation) with a message of "some attributes are not unique". When I comment out the unique_uri line in slapd.conf and restart slapd, the second entry can be added successfully. Have I configured something incorrectly? Kyle Blaney -----Original Message----- From: Pierangelo Masarati [mailto:masarati@aero.polimi.it] Sent: July 21, 2009 12:52 PM To: Blaney, Kyle (BVW:9T16) Cc: openldap-software(a)openldap.org Subject: Re: Unique overlay usage with filter Kyle Blaney wrote: How did you configure slapo-unique(5)? Is it global, or rooted at an empty DN database? Note that it requires a rootdn to be configured for the database it's instantiated for. According to your configuration, it is not working for a specific searchbase (the "dn" part of your URI is empty), so it might be that the identity it is running as does not have enough privileges to see the attributes it is supposed to constrain when they are across databases. You should probably post your entire slapd.conf or back-config contents (make sure you remove sensitive information like passwords). p.

Pierangelo, Thanks again. I've moved the overlay configuration part after the database configuration part, but I still get the same problem - adding the second entry fails due to a constraint violation when it should succeed. Is there anything else I can try or should I file and ITS? Kyle Blaney -----Original Message----- From: Pierangelo Masarati [mailto:masarati@aero.polimi.it] Sent: July 22, 2009 4:22 AM To: Blaney, Kyle (BVW:9T16) Cc: openldap-software(a)openldap.org Subject: Re: Unique overlay usage with filter Kyle Blaney wrote: The overlay part should go after all the database part, i.e. database bdb suffix "dc=Nortel,dc=com" rootdn "cn=Administrator,dc=Nortel,dc=com" rootpw adminpwd directory data index sn eq,sub index cn eq,sub overlay unique unique_uri ldap:///?uid?sub?(sn=e*) so the overlay configuration can properly check dependencies on database data. Don't know whether this fixes your issue, though. p.

Agreed - that ITS is the same issue. Thanks! Kyle Blaney -----Original Message----- From: masarati(a)aero.polimi.it [mailto:masarati@aero.polimi.it] Sent: July 23, 2009 3:08 PM To: Blaney, Kyle (BVW:9T16) Cc: openldap-software(a)openldap.org Subject: RE: Unique overlay usage with filter Apparently, you hit ITS#6077, so you don't need to file a new one. p.