On 04/27/2012 02:35 PM, John A. Sullivan III wrote:
Hello, all. We would like to enforce unique cn for groupofuniquenames
only and only under a specific part of the DIT.
I'll illustrate with:
O=Internal,DC=mycompany,DC=com
O=External,DC=mycompany,DC=com
So we want to enforce unique CNs on groups under Internal but not under
External and only CNs on groups (because our current DN based uniqueness
constraint on CN means we can't create multiple password policy
nscontainer objects under Internal).
If we configure set nsslapd-pluginarg1 to
"O=Internal,DC=mycompany,DC=com", we enforce uniqueness in that
container but for all objects.
Although we haven't tried it (lest we create a bigger problem than we
already have!), I believe it we set nsslapd-pluginarg1 to
markerObjectClass=O and nsslapd-pluginarg2 to
requiredObjectClass=groupofuniquenames, it will enforce CN uniqueness on
groups but will do so both in Internal AND External. Is that correct?
So is it possible to combine them somehow to achieve what we want?
Thanks - John
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
Unless I am incorrect, this could be a RFE, attribute uniqness is
currently implemented for a specific attribute in either a suffix or
subtree, or defined by objectclass in the whole tree, not both.
It depends how those groups are organized, the subtree or suffix
definition could be enough, using something similar to:
nsslapd-pluginarg0: some-attribute
nsslapd-pluginarg1: some-suffix-or-subtree-dn
For example, in IPA, for a CN uniquess in a netgroup subtree
cn=ng,cn=alt,dc=example,dc=com:
dn: cn=netgroup uniqueness,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: netgroup uniqueness
nsslapd-pluginPath: libattr-unique-plugin
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: cn
nsslapd-pluginarg1: cn=ng,cn=alt,dc=example,dc=com
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 1.2.9.14
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Enforce unique attribute values
I believe the markerObjectClass and requiredObjectClass are not designed
to be mixed with the suffix or subtree definitions of the attribute
uniqueness plug-in, for markerObjectClass.
The subtree is defined by location of marker object class, or its parent
entry, so if the scope is controlled with requiredObjectClass
groupofuniquenames it may parse entries in both subtrees internal and
external in your example.
It seem to me you cannot use both definitions, but I could be wrong.
Reference:
ldap/servers/plugins/uiduniq/uid.c
and
5.1.4.2. Specifying One Attribute and Multiple Subtrees
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/pdf/Administration_Guide/Red_Hat_Directory_Server-9.0-Administration_Guide-en-US.pdf
M.
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
