On Tue, Feb 06, 2024 at 12:29:37PM +0000, Norman Gray wrote:
Greetings.
How should I use the 'unique' overlay to enforce uniqueness of an attribute across two trees?
I'd have thought that the following would work, to enforce uniqueness across ou=dept1 and ou=dept2, but it doesn't seem to.
dn: olcOverlay=unique,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcUniqueConfig olcOverlay: unique olcUniqueURI: ldap:///ou=dept1,o=example?uidnumber?sub ldap:///ou=dept2,o=example?uidnumber?sub(and cf, slapd/overlays/unique.c:unique_new_domain).
When I configure a server with this, and load two entities with the same uidNumber, the server doesn't object. I'm clearly misunderstanding something.
The slapo-unique(5) manpage suggests that having two URIs juxtaposed like this is syntactically OK, but it doesn't make clear the semantics of this. I'd guessed that the above configuration would create a 'domain' which is the union of the two subtrees, but that doesn't seem to be the case.
Hi Norman, you're right, the uniqueness domains aren't specified anywhere and the overlay currently just runs through each URI independently. It also checks that the entry matches the URI as well, so a DN like "uid=u2,ou=dept1,o=example" is only checked against the first URI and dept2 wouldn't be checked.
The next best thing I can see is if you create two URIs, one for each dept2 and dept3 more or less like this:
ldap:///?uidnumber?sub?(|\ (entryDN:dnSubtreeMatch:=ou=dept1,o=example) (entryDN:dnSubtreeMatch:=ou=dept2,o=example)) ldap:///?uidnumber?sub?(|\ (entryDN:dnSubtreeMatch:=ou=dept1,o=example) (entryDN:dnSubtreeMatch:=ou=dept3,o=example))
That should trigger exactly as you need and cover the relevant parts of the tree. Not sure it works when there's a lot of gluing going on but worth a try.
Regards,