bionic (5) slapo-constraint.5.gz

Provided by: slapd_2.4.45+dfsg-1ubuntu1.11_amd64 bug

NAME

       slapo-constraint - Attribute Constraint Overlay to slapd

SYNOPSIS

       /etc/ldap/slapd.conf

DESCRIPTION

       The  constraint  overlay is used to ensure that attribute values match some constraints beyond basic LDAP
       syntax.  Attributes can have multiple constraints placed upon  them,  and  all  must  be  satisfied  when
       modifying an attribute value under constraint.

       This  overlay  is  intended to be used to force syntactic regularity upon certain string represented data
       which have well known canonical forms, like telephone numbers, post codes, FQDNs, etc.

       It constrains only LDAP add, modify and rename commands and only seeks to control  the  add  and  replace
       values of modify and rename requests.

       No constraints are applied for operations performed with the relax control set.

CONFIGURATION

       This slapd.conf option applies to the constraint overlay.  It should appear after the overlay directive.

       constraint_attribute <attribute_name>[,...] <type> <value> [<extra> [...]]
              Specifies  the  constraint  which  should apply to the comma-separated attribute list named as the
              first parameter.  Five types of constraint are currently supported - regex, size, count, uri,  and
              set.

              The  parameter  following  the  regex type is a Unix style regular expression (See regex(7) ). The
              parameter following the uri type is an LDAP URI. The URI  will  be  evaluated  using  an  internal
              search.  It must not include a hostname, and it must include a list of attributes to evaluate.

              The  parameter  following  the set type is a string that is interpreted according to the syntax in
              use for ACL sets.  This allows one to construct constraints based on the contents of the entry.

              The size type can be used to enforce a limit on an attribute length, and the count type limits the
              number of values of an attribute.

              Extra parameters can occur in any order after those described above.

              <extra> : restrict=<uri>

              This  extra  parameter allows one to restrict the application of the corresponding constraint only
              to entries that match the base, scope and filter portions of the LDAP URI.  The base, if  present,
              must  be  within  the  naming  context  of  the database.  The scope is only used when the base is
              present; it defaults to base.  The other parameters of the URI are not allowed.

       Any attempt to add or modify an attribute named as part of the  constraint  overlay  specification  which
       does not fit the constraint listed will fail with a LDAP_CONSTRAINT_VIOLATION error.

EXAMPLES

              overlay constraint
              constraint_attribute jpegPhoto size 131072
              constraint_attribute userPassword count 3
              constraint_attribute mail regex ^[[:alnum:]]+@mydomain.com$
              constraint_attribute title uri
                ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
              constraint_attribute cn,sn,givenName set
                "(this/givenName + [ ] + this/sn) & this/cn"
                restrict="ldap:///ou=People,dc=example,dc=com??sub?(objectClass=inetOrgPerson)"

       A  specification  like  the  above would reject any mail attribute which did not look like <alpha-numeric
       string>@mydomain.com.  It would also reject any title attribute whose values were not listed in the title
       attribute  of  any titleCatalog entries in the given scope. (Note that the "dc=catalog,dc=example,dc=com"
       subtree ought to reside in a separate database, otherwise the initial set of titleCatalog  entries  could
       not be populated while the constraint is in effect.)  Finally, it requires the values of the attribute cn
       to be constructed by pairing values of the attributes sn and givenName, separated by a  space,  but  only
       for entries derived from the objectClass inetOrgPerson.

FILES

       /etc/ldap/slapd.conf
              default slapd configuration file

SEE ALSO

       slapd.conf(5), slapd-config(5),

ACKNOWLEDGEMENTS

       This module was written in 2005 by Neil Dunbar of Hewlett-Packard and subsequently extended by Howard Chu
       and  Emmanuel  Dreyfus.   OpenLDAP  Software  is  developed  and  maintained  by  The  OpenLDAP   Project
       <http://www.openldap.org/>.   OpenLDAP  Software  is  derived  from  the  University of Michigan LDAP 3.3
       Release.