Le 24/08/2015 15:05, Simone Taliercio a écrit :
Hi All!
I'm trying to enforce the fact that the mail attribute has to be unique. In order to do it I tried to enable the unique overlay. Unfortunately, OpenLDAP still allow to insert an object with the same mail value.
I cannot understand where the wrong configuration occurs.
My config is still based con slapd.conf . I've recompiled OpenLDAP with the following steps:
a) ./configure --enable-modules=yes --enable-rlookups=yes --with-tls --with-cyrus-sasl --enable-mdb=yes --enable-bdb=yes --enable-monitor=yes --enable-unique
b) make depend c) make d) make install
Then, I added those lines to my slapd.conf overlay unique unique_uri ldap:///?mail?sub
So, my develop slapd.conf looks like the one below now.
Thanks a lot for any hints you can give me!
Simone
=== slapd.conf ==== include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
database config rootdn "cn=admin,cn=config"
# Security - TLS section TLSCACertificateFile /certs/CA.pem TLSCertificateFile /certs/certificate.cer TLSCertificateKeyFile /certs/company.key TLSCipherSuite TLSv1+RSA:!NULL TLSVerifyClient never
# Use LMDB database. database mdb overlay unique suffix "dc=com" rootdn "cn=Manager,dc=com" maxsize 16058941440 rootpw secret directory /usr/local/var/openldap-data/databases/com index mail eq index cn eq index objectClass eq
# mail is a unique attribute unique_uri ldap:///?mail?sub?
access to dn.subtree="ou=user,dc=company1,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company1,dc=com" search by anonymous auth
access to dn.subtree="ou=user,dc=company2,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company2,dc=com" write by anonymous auth
access to dn.subtree="dc=com" by users read by anonymous auth
Hi,
you should declare the overlay below the database, like this:
# Use LMDB database. database mdb suffix "dc=com" rootdn "cn=Manager,dc=com" maxsize 16058941440 rootpw secret directory /usr/local/var/openldap-data/databases/com index mail eq index cn eq index objectClass eq
access to dn.subtree="ou=user,dc=company1,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company1,dc=com" search by anonymous auth
access to dn.subtree="ou=user,dc=company2,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company2,dc=com" write by anonymous auth
access to dn.subtree="dc=com" by users read by anonymous auth
# mail is a unique attribute overlay unique unique_uri ldap:///?mail?sub?