Provided by: slapd_2.4.25-1.1ubuntu4_i386 bug

NAME

       slapo-constraint - Attribute Constraint Overlay to slapd

SYNOPSIS

       /etc/ldap/slapd.conf

DESCRIPTION

       The  constraint  overlay  is used to ensure that attribute values match
       some  constraints  beyond  basic  LDAP  syntax.   Attributes  can  have
       multiple  constraints  placed upon them, and all must be satisfied when
       modifying an attribute value under constraint.

       This overlay is intended to be used to force syntactic regularity  upon
       certain  string represented data which have well known canonical forms,
       like telephone numbers, post codes, FQDNs, etc.

       It constrains only LDAP add, modify and rename commands and only  seeks
       to control the add and replace values of modify and rename requests.

       No  constraints  are  applied  for  operations performed with the relax
       control set.

CONFIGURATION

       This slapd.conf option applies to the constraint  overlay.   It  should
       appear after the overlay directive.

       constraint_attribute  <attribute_name>[,...]  <type>  <value>  [<extra>
       [...]]
              Specifies the  constraint  which  should  apply  to  the  comma-
              separated  attribute  list  named  as the first parameter.  Five
              types of constraint  are  currently  supported  -  regex,  size,
              count, uri, and set.

              The  parameter  following the regex type is a Unix style regular
              expression (See regex(7) ). The parameter following the uri type
              is  an  LDAP  URI.  The  URI will be evaluated using an internal
              search.  It must not include a hostname, and it must  include  a
              list of attributes to evaluate.

              The  parameter  following  the  set  type  is  a  string that is
              interpreted according to the syntax in use for ACL  sets.   This
              allows  to  construct  constraints  based on the contents of the
              entry.

              The size type can be used to enforce a  limit  on  an  attribute
              length,  and  the  count  type limits the number of values of an
              attribute.

              Extra parameters can occur in any order  after  those  described
              above.

              <extra> : restrict=<uri>

              This  extra  parameter allows to restrict the application of the
              corresponding constraint only to entries that  match  the  base,
              scope  and  filter  portions  of  the  LDAP  URI.   The base, if
              present, must be within the naming context of the database.  The
              scope  is  only  used  when  the base is present; it defaults to
              base.  The other parameters of the URI are not allowed.

       Any attempt to add  or  modify  an  attribute  named  as  part  of  the
       constraint  overlay  specification  which  does  not fit the constraint
       listed will fail with a LDAP_CONSTRAINT_VIOLATION error.

EXAMPLES

              overlay constraint
              constraint_attribute jpegPhoto size 131072
              constraint_attribute userPassword count 3
              constraint_attribute mail regex ^[[:alnum:]]+@mydomain.com$
              constraint_attribute title uri
                ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
              constraint_attribute cn,sn,givenName set
                "(this/givenName + [ ] + this/sn) & this/cn"
                restrict="ldap:///ou=People,dc=example,dc=com??sub?(objectClass=inetOrgPerson)"

       A specification like the above would reject any  mail  attribute  which
       did  not  look like <alpha-numeric string>@mydomain.com.  It would also
       reject any title attribute whose values were not listed  in  the  title
       attribute  of  any  titleCatalog entries in the given scope. (Note that
       the  "dc=catalog,dc=example,dc=com"  subtree  ought  to  reside  in   a
       separate  database,  otherwise  the initial set of titleCatalog entries
       could not be populated while the constraint is in effect.)  Finally, it
       requires  the  values  of the attribute cn to be constructed by pairing
       values of the attributes sn and givenName, separated by  a  space,  but
       only for entries derived from the objectClass inetOrgPerson.

FILES

       /etc/ldap/slapd.conf
              default slapd configuration file

SEE ALSO

       slapd.conf(5), slapd-config(5),

ACKNOWLEDGEMENTS

       This  module  was written in 2005 by Neil Dunbar of Hewlett-Packard and
       subsequently extended by Howard Chu  and  Emmanuel  Dreyfus.   OpenLDAP
       Software   is   developed   and  maintained  by  The  OpenLDAP  Project
       <http://www.openldap.org/>.   OpenLDAP   Software   is   derived   from
       University of Michigan LDAP 3.3 Release.