Provided by: slapd_2.5.18+dfsg-0ubuntu0.22.04.2_amd64 bug

NAME

       slapo-unique - Attribute Uniqueness overlay to slapd

SYNOPSIS

       /etc/ldap/slapd.conf

DESCRIPTION

       The  Attribute Uniqueness overlay can be used with a backend database such as slapd-mdb(5)
       to enforce the uniqueness of some or all attributes within a scope. This subtree  defaults
       to  all  objects  within  the  subtree of the database for which the Uniqueness overlay is
       configured.

       Uniqueness is enforced by  searching  the  subtree  to  ensure  that  the  values  of  all
       attributes  presented with an add, modify or modrdn operation are unique within the scope.
       For example, if uniqueness were enforced for the  uid  attribute,  the  subtree  would  be
       searched  for any other records which also have a uid attribute containing the same value.
       If any are found, the request is rejected.

       The search is performed using the rootdn of  the  database,  to  avoid  issues  with  ACLs
       preventing  the  overlay  from seeing all of the relevant data. As such, the database must
       have a rootdn configured.

CONFIGURATION

       These slapd.conf options apply to the Attribute Uniqueness overlay.   They  should  appear
       after the overlay directive.

       unique_uri <[strict ][ignore ][serialize ]URI[[ URI...]...]>
              Configure  the  base,  attributes,  scope,  and  filter  for  uniqueness  checking.
              Multiple URIs may be specified within a  domain,  allowing  complex  selections  of
              objects.   Multiple  unique_uri  statements  or  olcUniqueURI attribute values will
              create independent domains, each with their  own  independent  lists  of  URIs  and
              ignore/strict settings.

              Keywords  strict,  ignore, and serialize have to be enclosed in quotes (") together
              with the URI when using deprecated slapd.conf configurations.

              The LDAP URI syntax is a subset of RFC-4516, and takes the form:

              ldap:///[base dn]?[attributes...]?scope[?filter]

              The base dn defaults to that of the back-end database.  Specified base dns must  be
              within the subtree of the back-end database.

              If no attributes are specified, the URI applies to all non-operational attributes.

              The  scope  component  is  effectively mandatory, because LDAP URIs default to base
              scope, which is not valid for uniqueness, because groups of one object  are  always
              unique.  Scopes of sub (for subtree) and one for one-level are valid.

              The  filter  component  causes  the  domain to apply uniqueness constraints only to
              matching objects.  e.g.  ldap:///?cn?sub?(sn=e*) would require unique cn attributes
              for all objects in the subtree of the back-end database whose sn starts with an e.

              It  is  possible  to  assert  uniqueness upon all non-operational attributes except
              those listed  by  prepending  the  keyword  ignore  If  not  configured,  all  non-
              operational (e.g., system) attributes must be unique. Note that the attributes list
              of an ignore URI should generally contain the objectClass, dc, ou and o attributes,
              as these will generally not be unique, nor are they operational attributes.

              It  is  possible to set strict checking for the uniqueness domain by prepending the
              keyword strict.  By default, uniqueness is not enforced for null  values.  Enabling
              strict  mode  extends  the  concept of uniqueness to include null values, such that
              only one attribute within  a  subtree  will  be  allowed  to  have  a  null  value.
              Strictness  applies to all URIs within a uniqueness domain, but some domains may be
              strict while others are not.

              It is possible to enforce strict serialization of modifications by  prepending  the
              keyword  serialize.   By  default,  no  serialization  is  performed,  so  multiple
              modifications  occurring  nearly  simultaneously  may  see  incomplete   uniqueness
              results.   Using serialize will force individual write operations to fully complete
              before allowing any others to proceed, to ensure that each  operation's  uniqueness
              checks are consistent.

       It  is  not  possible  to  set  both URIs and legacy slapo-unique configuration parameters
       simultaneously. In general, the legacy configuration options control pieces  of  a  single
       unfiltered subtree domain.

       unique_base <basedn>
              This legacy configuration parameter should be converted to the base dn component of
              the above unique_uri style of parameter.

       unique_ignore <attribute...>
              This legacy configuration parameter should be converted to a  unique_uri  parameter
              with ignore keyword as described above.

       unique_attributes <attribute...>
              This  legacy configuration parameter should be converted to a unique_uri parameter,
              as described above.

       unique_strict <attribute...>
              This legacy configuration  parameter  should  be  converted  to  a  strict  keyword
              prepended to a unique_uri parameter, as described above.

CAVEATS

       unique_uri cannot be used with the old-style of configuration, and vice versa.  unique_uri
       can implement everything the older system can do, however.

       Typical attributes for the ignore ldap:///...  URIs are intentionally not  hardcoded  into
       the overlay to allow for maximum flexibility in meeting site-specific requirements.

       Replication  and operations with the relax control are allowed to bypass this enforcement.
       It is therefore important that all servers accepting writes have this  overlay  configured
       in order to maintain uniqueness in a replicated DIT.

FILES

       /etc/ldap/slapd.conf
              default slapd configuration file

SEE ALSO

       slapd.conf(5), slapd-config(5).