HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

131

132

133

134

135

136

137

138

139

140

The Attribute Uniqueness Plug-in can operate in specific, user-defined ways:

• It can check every entry in the specified subtrees.

For example, if a company, example.com, hosts the directories for example_a.com and

example_b.com, when an entry such as

uid=jdoe,ou=people,o=example_a,dc=example,dc=com is added, uniqueness

needs to be enforced only in the o=example_a,dc=example,dc=com subtree. This is

done by listing the DN of the subtree explicitly in the Attribute Uniqueness Plug-in

configuration.

• Specify an object class pertaining to an entry in the DN of the updated entry and perform

the uniqueness check on all the entries beneath it.

This option is useful in hosted environments. For example, when adding an entry such as

uid=jdoe,ou=people,o=example_a,dc=example,dc=com, enforce uniqueness under

the o=example_a,dc=example,dc=com subtree without listing this subtree explicitly in

the configuration but, instead, by indicating a marker object class. If the marker object class

is set to organization, the uniqueness check algorithm locates the entry in the DN that

has this object class (o=example_a) and performs the check on all entries beneath it.

Additionally, it is possible to check uniqueness only if the updated entry includes a specified

object class. For example, a check may be performed only if the updated entry includes

objectclass=inetorgperson.

Directory Server provides a default instance of the Attribute Uniqueness Plug-in for the uid

attribute when the Directory Server was first set up. This plug-in instance ensures that values

given to the uid attribute are unique in the root suffix (the suffix corresponding to the userRoot

database).

This plug-in is disabled by default because it affects the operation of multi-master replication.

For information on using the attribute uniqueness plug-in in a replicated environment, see

“Replication and the attribute uniqueness plug-in”.

3.7.2 Attribute uniqueness plug-in syntax

Configuration information for the Attribute Uniqueness Plug-in is specified in an entry under

cn=plugins,cn=config entry. There are two possible syntaxes for nsslapd-pluginarg

attributes.

NOTE:

To enforce uniqueness of another attribute than the ones in these example, copy and paste the

default Attribute Uniqueness Plug-in entry, and being care to change only the attributes described

here.

Use the following syntax to perform the uniqueness check under a suffix or subtree:

dn: cn=descriptive_plugin_name,cn=plugins,cn=config

...

nsslapd-pluginEnabled: state

nsslapd-pluginarg0: attribute_name

nsslapd-pluginarg1: dn1

nsslapd-pluginarg2: dn2

...

• Any value can be given to the cn attribute to name the plug-in. The name should be

descriptive.

• The cn attribute does not contain the name of the attribute, which is checked for uniqueness.

• Only one attribute can be specified on which the uniqueness check will be performed.

• It is possible to specify several DNs of suffixes or subtrees in which to perform the uniqueness

check by incrementing the nsslapd-pluginarg attribute suffix by one each time.

3.7 Enforcing attribute uniqueness 139