Hello,
Is there a way to have a unique constraint over multiple attributes? We have different attributes for the primary email address of a person, and for additional aliases, and we'd like to enforce global uniqueness in such a way that the primary email address for one person can not be used as an email alias for another person.
The slapo-unique manpage doesn't make this very clear.
Regards
Jan Beerden wrote:
Is there a way to have a unique constraint over multiple attributes? We have different attributes for the primary email address of a person, and for additional aliases, and we'd like to enforce global uniqueness in such a way that the primary email address for one person can not be used as an email alias for another person.
The slapo-unique manpage doesn't make this very clear.
You can simply specify multiple attrs.
Example for old syntax:
unique_attributes uid uidNumber
Based on LDAP URLs:
unique_uri "ldap:///o=myorg?uid,uidNumber?sub?(objectClass=*)"
IIRC there's a bug with filters in unique_uri.
Ciao, Michael.
On 06/20/2012 06:43 PM, Michael Ströder wrote:
Jan Beerden wrote:
Is there a way to have a unique constraint over multiple attributes? We have different attributes for the primary email address of a person, and for additional aliases, and we'd like to enforce global uniqueness in such a way that the primary email address for one person can not be used as an email alias for another person.
The slapo-unique manpage doesn't make this very clear.
You can simply specify multiple attrs.
Example for old syntax:
unique_attributes uid uidNumber
Based on LDAP URLs:
unique_uri "ldap:///o=myorg?uid,uidNumber?sub?(objectClass=*)"
IIRC there's a bug with filters in unique_uri.
Ciao, Michael.
We already tried that. We are trying to prevent user1 to have an email alias that is the same as user2's primary email address. With this it only make sure that an email address can exist only once in the email attribute and that an alias can exist only once in the alias attribute. What we would like is that a certain value (email address) has to be unique across both the email and the alias attribute.
Regards
Jan Beerden jan.beerden@fks.be fks bvba - Formal and Knowledge Systems http://www.fks.be/ Schampbergstraat 32 Tel: ++32-(0)11-21 49 11 B-3511 Kuringen Fax: ++32-(0)11-22 04 19
On Wed, Jun 20, 2012 at 06:43:22PM +0200, Michael Ströder wrote:
Jan Beerden wrote:
Is there a way to have a unique constraint over multiple attributes? We have different attributes for the primary email address of a person, and for additional aliases, and we'd like to enforce global uniqueness in such a way that the primary email address for one person can not be used as an email alias for another person.
The slapo-unique manpage doesn't make this very clear.
You can simply specify multiple attrs.
unique_uri "ldap:///o=myorg?uid,uidNumber?sub?(objectClass=*)"
That will not have the effect that is required in this case. Each attribute listed in the unique_uri is enforced separately, so in the example above, all uid values would be unique, and all uidNumber values would be unique, but it would be quite possible to have a uid in one entry the same as the uidNumber in a different one.
To achieve what Jan wants, I would consider requiring the primary email address to also be listed as one of the aliases. A uniqueness constraint like this would then protect against one entry hijacking the address of another:
overlay unique unique_uri "ldap:///o=myorg?primaryMail,aliasMail?sub?(objectClass=mailUser)"
The requirement for the primaryMail value to also appear as an aliasMail value could be enforced using the constraint overlay with the 'set' mechanism, something like:
overlay constraint constraint_attribute primaryMail,aliasMail set "this/primaryMail & this/aliasMail" restrict="ldap:///o=myorg??sub?(objectClass=mailUser)"
Andrew
On 06/20/2012 09:35 PM, Andrew Findlay wrote:
Jan Beerden wrote:
Is there a way to have a unique constraint over multiple attributes? We have different attributes for the primary email address of a person, and for additional aliases, and we'd like to enforce global uniqueness in such a way that the primary email address for one person can not be used as an email alias for another person.
The slapo-unique manpage doesn't make this very clear.
To achieve what Jan wants, I would consider requiring the primary email address to also be listed as one of the aliases. A uniqueness constraint like this would then protect against one entry hijacking the address of another:
overlay unique unique_uri "ldap:///o=myorg?primaryMail,aliasMail?sub?(objectClass=mailUser)"
The requirement for the primaryMail value to also appear as an aliasMail value could be enforced using the constraint overlay with the 'set' mechanism, something like:
overlay constraint constraint_attribute primaryMail,aliasMail set "this/primaryMail & this/aliasMail" restrict="ldap:///o=myorg??sub?(objectClass=mailUser)"
Thanks! This does exactly what we wanted.
Regards
Jan Beerden jan.beerden@fks.be fks bvba - Formal and Knowledge Systems http://www.fks.be/ Schampbergstraat 32 Tel: ++32-(0)11-21 49 11 B-3511 Kuringen Fax: ++32-(0)11-22 04 19
El 20/06/12 14:38, Jan Beerden escribió:
On 06/20/2012 06:43 PM, Michael Ströder wrote:
Jan Beerden wrote:
Is there a way to have a unique constraint over multiple attributes? We have different attributes for the primary email address of a person, and for additional aliases, and we'd like to enforce global uniqueness in such a way that the primary email address for one person can not be used as an email alias for another person.
The slapo-unique manpage doesn't make this very clear.
You can simply specify multiple attrs.
Example for old syntax:
unique_attributes uid uidNumber
Based on LDAP URLs:
unique_uri "ldap:///o=myorg?uid,uidNumber?sub?(objectClass=*)"
IIRC there's a bug with filters in unique_uri.
Ciao, Michael.
We already tried that. We are trying to prevent user1 to have an email alias that is the same as user2's primary email address. With this it only make sure that an email address can exist only once in the email attribute and that an alias can exist only once in the alias attribute. What we would like is that a certain value (email address) has to be unique across both the email and the alias attribute.
Regards
Jan Beerden jan.beerden@fks.be fks bvba - Formal and Knowledge Systems http://www.fks.be/ Schampbergstraat 32 Tel: ++32-(0)11-21 49 11 B-3511 Kuringen Fax: ++32-(0)11-22 04 19
try this:
ldap:///ou=Users,ou=Accounts,o=myorg?uid,uidNumber,mail?sub?(objectClass=inetOrgPerson)
regards hhuntercu
On 06/20/2012 09:35 PM, Andrew Findlay wrote:
The requirement for the primaryMail value to also appear as an aliasMail value could be enforced using the constraint overlay with the 'set' mechanism, something like: overlay constraint constraint_attribute primaryMail,aliasMail set "this/primaryMail & this/aliasMail" restrict="ldap:///o=myorg??sub?(objectClass=mailUser)" Andrew
This seamed to work at first but what this actually does is that it forces a new aliasMail to already exist in it's own either primaryMail or aliasMail.
Jan Beerden jan.beerden@fks.be fks bvba - Formal and Knowledge Systems http://www.fks.be/ Schampbergstraat 32 Tel: ++32-(0)11-21 49 11 B-3511 Kuringen Fax: ++32-(0)11-22 04 19
On Thu, Jun 28, 2012 at 05:59:41PM +0200, Jan Beerden wrote:
On 06/20/2012 09:35 PM, Andrew Findlay wrote:
The requirement for the primaryMail value to also appear as an aliasMail value could be enforced using the constraint overlay with the 'set' mechanism, something like: overlay constraint constraint_attribute primaryMail,aliasMail set "this/primaryMail & this/aliasMail" restrict="ldap:///o=myorg??sub?(objectClass=mailUser)" Andrew
This seamed to work at first but what this actually does is that it forces a new aliasMail to already exist in it's own either primaryMail or aliasMail.
Sorry - I don't understand that. Could you post some examples of what works and what does not? It would be a good idea to include the slapd configuration too.
Andrew
On 06/29/2012 01:53 PM, Andrew Findlay wrote:
On Thu, Jun 28, 2012 at 05:59:41PM +0200, Jan Beerden wrote:
On 06/20/2012 09:35 PM, Andrew Findlay wrote:
The requirement for the primaryMail value to also appear as an aliasMail value could be enforced using the constraint overlay with the 'set' mechanism, something like: overlay constraint constraint_attribute primaryMail,aliasMail set "this/primaryMail & this/aliasMail" restrict="ldap:///o=myorg??sub?(objectClass=mailUser)" Andrew
This seamed to work at first but what this actually does is that it forces a new aliasMail to already exist in it's own either primaryMail or aliasMail.
Sorry - I don't understand that. Could you post some examples of what works and what does not? It would be a good idea to include the slapd configuration too.
Andrew
This is what I did:
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: constraint
dn: olcOverlay=constraint,olcDatabase={1}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcConstraintConfig olcOverlay: constraint olcConstraintAttribute: mail,mailAliases set "this/mail & this/mailAliases" restrict="ldap:///dc=company,dc=be??sub?(objectClass=mail-user)"
I created the following users: userA with mail userA@company.be userB with mail userB@company.be
When I try to create an alias for userA, it wil refuse everything accept the value of it's mail address. So for userA I can only create an alias userA@company.be. The same applies for userB.
Kind regards
Jan
Jan Beerden jan.beerden@fks.be fks bvba - Formal and Knowledge Systems http://www.fks.be/ Schampbergstraat 32 Tel: ++32-(0)11-21 49 11 B-3511 Kuringen Fax: ++32-(0)11-22 04 19
On Mon, Jul 02, 2012 at 12:24:09PM +0200, Jan Beerden wrote:
dn: olcOverlay=constraint,olcDatabase={1}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcConstraintConfig olcOverlay: constraint olcConstraintAttribute: mail,mailAliases set "this/mail & this/mailAliases" restrict="ldap:///dc=company,dc=be??sub?(objectClass=mail-user)"
I created the following users: userA with mail userA@company.be userB with mail userB@company.be
When I try to create an alias for userA, it wil refuse everything accept the value of it's mail address.
s/accept/except/ perhaps?
So for userA I can only create an alias userA@company.be. The same applies for userB.
Ah - I think I understand now. The constraint that I suggested applies to both mail and mailAliases attributes, so it effectively says they must be identical. You could try something like this:
olcConstraintAttribute: mail set "this/mail & this/mailAliases" restrict="ldap:///dc=company,dc=be??sub?(objectClass=mail-user)"
That would require the mail attribute to have a value that is also found in the mailAliases attribute, but should not prevent other values in mailAliases.
Andrew
On 07/04/2012 08:35 PM, Andrew Findlay wrote:
Ah - I think I understand now. The constraint that I suggested applies to both mail and mailAliases attributes, so it effectively says they must be identical. You could try something like this:
olcConstraintAttribute: mail set "this/mail & this/mailAliases" restrict="ldap:///dc=company,dc=be??sub?(objectClass=mail-user)"
That would require the mail attribute to have a value that is also found in the mailAliases attribute, but should not prevent other values in mailAliases.
Andrew
Andrew,
Thanks for you help, but this doesn't seem to work. What this does is that it prevents a single user to have duplicate mailAliases.
What I would like is to force unique values in the combined list of all mail and mailAliases attributes of all users.
Jan
Jan Beerden jan.beerden@fks.be fks bvba - Formal and Knowledge Systems http://www.fks.be/ Schampbergstraat 32 Tel: ++32-(0)11-21 49 11 B-3511 Kuringen Fax: ++32-(0)11-22 04 19
openldap-technical@openldap.org