Hi all,
to answer / correct my own mail. I had an off-by-one with the versions I think. 2.2 did not have the refint overlay, at least not in code, so we might moved from 2.3 to 2.5 but I can't remember. It still stands that at some time refint lost the feature that it ensured validity of add/modify operations of references to other objects.
In the meanwhile I found: https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/m... where Michael Ströder pointed out that the attribute has to be entryDN. with
olcConstraintAttribute: member uri ldap:///dc=example,dc=com?entryDN?sub?(objectClass=*)
everything works now. I have no clue why slapd segfaults with a wrong attribute specified in the olcConstraintAttribute URI but it now works.
Best, Adrian
On 2025-04-11 21:51, Adrian Nöthlich wrote:
Hello all,
we want to ensure that all entries added to the member and manager attributes are valid DNs and point to existing objects in our LDAP. We had the refint overlay do this on version 2.2 but as it seems 2.3 removed this undocumented feature. We lately moved to 2.5 and have issues with faulty entries.
When I tried to configure the overlay with:
olcConstraintAttribute: member uri ldap:///dc=example,dc=com?dn?sub?(objectClass=*)
or
olcConstraintAttribute: member uri ldap:///dc=example,dc=com??sub?(objectClass=*)
or both URIs with an actual objectClass specified, my slapd (2.5.19) crashes on the URI verification step as it seems.
Is my usage of the overlay itself correct (including the URI) or is there a better way to ensure the existence of an referenced object?
Thanks a lot!
Best, Adrian