Michael, hello.
Thanks for your response.
On 10 Sep 2019, at 19:33, Michael Ströder wrote:
The above is invalid. Your LDIF should contain separate attribute values for each unique URI:
olcUniqueURI: ldap:///ou=dept-A,o=example?uidnumber?sub olcUniqueURI: ldap:///ou=dept-B,o=example?uidnumber?sub
The problem is that both the manpage and the source-code comments seem to state that the attribute can take multiple values. Quoting from the manpage:
Multiple URIs may be specified within a domain, allowing complex selections of objects. Multiple unique_uri statements or olcUniqueURI attributes will create independent domains
I interpret that as saying that each olcUniqueURI attribute corresponds to, or implies, an 'independent domain', and that 'Multiple URIs may be specified within a domain' indicates that a domain can be specified by multiple ldap:/// URIs (though it doesn't say, for example, whether these are composed using UNION or something else). That is, if this text _isn't_ intended to say that there may be multiple olcUniqueURI attributes, each of which can have multiple URIs, then it should be rewritten.
I would interpret your rewritten version as saying that uidnumber attributes should be unique in ou=dept-A, and that they should be unique in ou=dept-B (ie, they are independent), but not that they should be unique in (ou=dept-A UNION ou=dept-B), which is what I want.
So there is at least a documentation gap here.
Of course slapd should not run crazy because of this.
Is there enough information in my previous message for me to add a reasonable ITS report, do you think?
You can look at a running example config (cn=config read-only):
Thanks -- this is very useful (and also nudges investigating Ædir further up my list). I'll study those.
Best wishes,
Norman