Hi Guys,

Finally I understood my errors and I got the unique overlay working. For posterity, I'm going to list them and fixes here:

1) I recompiled OpenLDAP with the flag --enable-unique . Checking "./configure --help" let me understood that I had to use --enable-unique=yes

2) For testing I was using JXplorer and Apache Directory Studio. At this point, I noticed a strange line in the slapd log:

"55dc142d unique_add: administrative bypass, skipping"

With a short google search I found a thread here in the group: http://www.openldap.org/lists/openldap-technical/201307/msg00193.html

3) So, I moved to ldapadd cmd line and finally I got:

ldap_add: Constraint violation (19)
    additional info: some attributes not unique

I do not completely understand the ManageDsaIT control, but I guess that it shouldn't happen (I mean, a way to workaround the server constraints such as attrinute uniqueness).

Fallback question: is there a way to prevent those Java tools to insert object with duplicate mails ?

Thanks a LOT for your help. I find OpenLDAP amazing!


2015-08-24 15:05 GMT+02:00 Simone Taliercio <simonetaliercio@gmail.com>:
Hi All!

I'm trying to enforce the fact that the mail attribute has to be unique. In order to do it I tried to enable the unique overlay. Unfortunately, OpenLDAP still allow to insert an object with the same mail value.

I cannot understand where the wrong configuration occurs.

My config is still based con slapd.conf . I've recompiled OpenLDAP with the following steps:

a) ./configure --enable-modules=yes --enable-rlookups=yes --with-tls --with-cyrus-sasl --enable-mdb=yes --enable-bdb=yes --enable-monitor=yes --enable-unique

b) make depend
c) make
d) make install

Then, I added those lines to my slapd.conf
overlay unique
unique_uri ldap:///?mail?sub

So, my develop slapd.conf looks like the one below now.

Thanks a lot for any hints you can give me!


=== slapd.conf ====
include        /usr/local/etc/openldap/schema/core.schema
include        /usr/local/etc/openldap/schema/cosine.schema
include        /usr/local/etc/openldap/schema/inetorgperson.schema
include        /usr/local/etc/openldap/schema/nis.schema

pidfile        /usr/local/var/run/slapd.pid
argsfile    /usr/local/var/run/slapd.args

database config
rootdn "cn=admin,cn=config"

# Security - TLS section
TLSCACertificateFile /certs/CA.pem
TLSCertificateFile /certs/certificate.cer
TLSCertificateKeyFile /certs/company.key
TLSCipherSuite TLSv1+RSA:!NULL
TLSVerifyClient never

# Use LMDB database.
database    mdb
overlay     unique
suffix        "dc=com"
rootdn        "cn=Manager,dc=com"
maxsize        16058941440
rootpw        secret
directory    /usr/local/var/openldap-data/databases/com
index mail eq
index cn eq
index objectClass eq

# mail is a unique attribute
unique_uri ldap:///?mail?sub?

access to dn.subtree="ou=user,dc=company1,dc=com" attrs=cn,sn,givenName,mail,userPassword
    by dn.exact="cn=specificuser,ou=user,dc=company1,dc=com" search
    by anonymous auth

access to dn.subtree="ou=user,dc=company2,dc=com" attrs=cn,sn,givenName,mail,userPassword   
    by dn.exact="cn=specificuser,ou=user,dc=company2,dc=com" write
    by anonymous auth
access to dn.subtree="dc=com"
    by users read
    by anonymous auth