[389-users] Uniqueness Attribute for specific objects in a specific subtree

Mon Apr 30 17:16:43 UTC 2012

John A. Sullivan III wrote:
> On Fri, 2012-04-27 at 18:09 -0700, Marc Sauton wrote:
>> On 04/27/2012 02:35 PM, John A. Sullivan III wrote:
>>> Hello, all.  We would like to enforce unique cn for groupofuniquenames
>>> only and only under a specific part of the DIT.
>>>
>>> I'll illustrate with:
>>> O=Internal,DC=mycompany,DC=com
>>> O=External,DC=mycompany,DC=com
>>>
>>> So we want to enforce unique CNs on groups under Internal but not under
>>> External and only CNs on groups (because our current DN based uniqueness
>>> constraint on CN means we can't create multiple password policy
>>> nscontainer objects under Internal).
>>>
>>> If we configure set nsslapd-pluginarg1 to
>>> "O=Internal,DC=mycompany,DC=com", we enforce uniqueness in that
>>> container but for all objects.
>>>
>>> Although we haven't tried it (lest we create a bigger problem than we
>>> already have!), I believe it we set nsslapd-pluginarg1 to
>>> markerObjectClass=O and nsslapd-pluginarg2 to
>>> requiredObjectClass=groupofuniquenames, it will enforce CN uniqueness on
>>> groups but will do so both in Internal AND External.  Is that correct?
>>>
>>> So is it possible to combine them somehow to achieve what we want?
>>> Thanks - John
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> Unless I am incorrect, this could be a RFE, attribute uniqness is
>> currently implemented for a specific attribute in either a suffix or
>> subtree, or defined by objectclass in the whole tree, not both.
>>
>> It depends how those groups are organized, the subtree or suffix
>> definition could be enough, using something similar to:
>> nsslapd-pluginarg0: some-attribute
>> nsslapd-pluginarg1: some-suffix-or-subtree-dn
>>
>> For example, in IPA, for a CN uniquess in a netgroup subtree
>> cn=ng,cn=alt,dc=example,dc=com:
>>
>> dn: cn=netgroup uniqueness,cn=plugins,cn=config
>> objectClass: top
>> objectClass: nsSlapdPlugin
>> objectClass: extensibleObject
>> cn: netgroup uniqueness
>> nsslapd-pluginPath: libattr-unique-plugin
>> nsslapd-pluginInitfunc: NSUniqueAttr_Init
>> nsslapd-pluginType: preoperation
>> nsslapd-pluginEnabled: on
>> nsslapd-pluginarg0: cn
>> nsslapd-pluginarg1: cn=ng,cn=alt,dc=example,dc=com
>> nsslapd-plugin-depends-on-type: database
>> nsslapd-pluginId: NSUniqueAttr
>> nsslapd-pluginVersion: 1.2.9.14
>> nsslapd-pluginVendor: 389 Project
>> nsslapd-pluginDescription: Enforce unique attribute values
>>
>> I believe the markerObjectClass and requiredObjectClass are not designed
>> to be mixed with the suffix or subtree definitions of the attribute
>> uniqueness plug-in, for markerObjectClass.
>> The subtree is defined by location of marker object class, or its parent
>> entry, so if the scope is controlled with requiredObjectClass
>> groupofuniquenames it may parse entries in both subtrees internal and
>> external in your example.
>> It seem to me you cannot use both definitions, but I could be wrong.
>>
>> Reference:
>> ldap/servers/plugins/uiduniq/uid.c
>> and
>> 5.1.4.2. Specifying One Attribute and Multiple Subtrees
>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/pdf/Administration_Guide/Red_Hat_Directory_Server-9.0-Administration_Guide-en-US.pdf
>>
>> M.
> Thank you, Marc.  That's how I read it, too, unfortunately.
>
> I wonder if there is another way around our real problem.  Using the
> same example as above:
> O=Internal,DC=mycompany,DC=com
> O=External,DC=mycompany,DC=com
>
> we need to create subtree password policies for various OUs under
> O=Internal which is also where we need cn uniqueness for groups.  The
> problem, I think, is that we need nsContainer objects at each OU with a
> password policy where the cn is specifically "nsPwPolicyContainer".
> Since that is the cn for several different objects, we are getting
> duplicate errors on all attempts to create the custom password policy
> after the first one.  I assume there is no way to exempt a specific
> object from a uniqueness constraint, is there? Thanks - John
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
It may make the db topology more complicated, but how about making 
O=Internal and O=External sub suffixes of DC=mycompany,DC=com?

That way you could make these 2 trees independent from each other...

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases.html
--noriko