On Fri, 2012-04-27 at 18:09 -0700, Marc Sauton wrote: > On 04/27/2012 02:35 PM, John A. Sullivan III wrote: > > Hello, all. We would like to enforce unique cn for groupofuniquenames > > only and only under a specific part of the DIT. > > > > I'll illustrate with: > > O=Internal,DC=mycompany,DC=com > > O=External,DC=mycompany,DC=com > > > > So we want to enforce unique CNs on groups under Internal but not under > > External and only CNs on groups (because our current DN based uniqueness > > constraint on CN means we can't create multiple password policy > > nscontainer objects under Internal). > > > > If we configure set nsslapd-pluginarg1 to > > "O=Internal,DC=mycompany,DC=com", we enforce uniqueness in that > > container but for all objects. > > > > Although we haven't tried it (lest we create a bigger problem than we > > already have!), I believe it we set nsslapd-pluginarg1 to > > markerObjectClass=O and nsslapd-pluginarg2 to > > requiredObjectClass=groupofuniquenames, it will enforce CN uniqueness on > > groups but will do so both in Internal AND External. Is that correct? > > > > So is it possible to combine them somehow to achieve what we want? > > Thanks - John > > > > -- > > 389 users mailing list > > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/389-users > > Unless I am incorrect, this could be a RFE, attribute uniqness is > currently implemented for a specific attribute in either a suffix or > subtree, or defined by objectclass in the whole tree, not both. > > It depends how those groups are organized, the subtree or suffix > definition could be enough, using something similar to: > nsslapd-pluginarg0: some-attribute > nsslapd-pluginarg1: some-suffix-or-subtree-dn > > For example, in IPA, for a CN uniquess in a netgroup subtree > cn=ng,cn=alt,dc=example,dc=com: > > dn: cn=netgroup uniqueness,cn=plugins,cn=config > objectClass: top > objectClass: nsSlapdPlugin > objectClass: extensibleObject > cn: netgroup uniqueness > nsslapd-pluginPath: libattr-unique-plugin > nsslapd-pluginInitfunc: NSUniqueAttr_Init > nsslapd-pluginType: preoperation > nsslapd-pluginEnabled: on > nsslapd-pluginarg0: cn > nsslapd-pluginarg1: cn=ng,cn=alt,dc=example,dc=com > nsslapd-plugin-depends-on-type: database > nsslapd-pluginId: NSUniqueAttr > nsslapd-pluginVersion: 1.2.9.14 > nsslapd-pluginVendor: 389 Project > nsslapd-pluginDescription: Enforce unique attribute values > > I believe the markerObjectClass and requiredObjectClass are not designed > to be mixed with the suffix or subtree definitions of the attribute > uniqueness plug-in, for markerObjectClass. > The subtree is defined by location of marker object class, or its parent > entry, so if the scope is controlled with requiredObjectClass > groupofuniquenames it may parse entries in both subtrees internal and > external in your example. > It seem to me you cannot use both definitions, but I could be wrong. > > Reference: > ldap/servers/plugins/uiduniq/uid.c > and > 5.1.4.2. Specifying One Attribute and Multiple Subtrees > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/pdf/Administration_Guide/Red_Hat_Directory_Server-9.0-Administration_Guide-en-US.pdf > > M. Thank you, Marc. That's how I read it, too, unfortunately. I wonder if there is another way around our real problem. Using the same example as above: O=Internal,DC=mycompany,DC=com O=External,DC=mycompany,DC=com we need to create subtree password policies for various OUs under O=Internal which is also where we need cn uniqueness for groups. The problem, I think, is that we need nsContainer objects at each OU with a password policy where the cn is specifically "nsPwPolicyContainer". Since that is the cn for several different objects, we are getting duplicate errors on all attempts to create the custom password policy after the first one. I assume there is no way to exempt a specific object from a uniqueness constraint, is there? Thanks - John -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
