On Mon, 2012-04-30 at 10:16 -0700, Noriko Hosoi wrote: > John A. Sullivan III wrote: > > On Fri, 2012-04-27 at 18:09 -0700, Marc Sauton wrote: > >> On 04/27/2012 02:35 PM, John A. Sullivan III wrote: > >>> Hello, all. We would like to enforce unique cn for groupofuniquenames > >>> only and only under a specific part of the DIT. > >>> > >>> I'll illustrate with: > >>> O=Internal,DC=mycompany,DC=com > >>> O=External,DC=mycompany,DC=com > >>> > >>> So we want to enforce unique CNs on groups under Internal but not under > >>> External and only CNs on groups (because our current DN based uniqueness > >>> constraint on CN means we can't create multiple password policy > >>> nscontainer objects under Internal). > >>> > >>> If we configure set nsslapd-pluginarg1 to > >>> "O=Internal,DC=mycompany,DC=com", we enforce uniqueness in that > >>> container but for all objects. > >>> > >>> Although we haven't tried it (lest we create a bigger problem than we > >>> already have!), I believe it we set nsslapd-pluginarg1 to > >>> markerObjectClass=O and nsslapd-pluginarg2 to > >>> requiredObjectClass=groupofuniquenames, it will enforce CN uniqueness on > >>> groups but will do so both in Internal AND External. Is that correct? > >>> > >>> So is it possible to combine them somehow to achieve what we want? > >>> Thanks - John > <snip>>> Unless I am incorrect, this could be a RFE, attribute uniqness is > >> currently implemented for a specific attribute in either a suffix or > >> subtree, or defined by objectclass in the whole tree, not both. > >> > >> It depends how those groups are organized, the subtree or suffix > >> definition could be enough, using something similar to: > >> nsslapd-pluginarg0: some-attribute > >> nsslapd-pluginarg1: some-suffix-or-subtree-dn > >> > >> For example, in IPA, for a CN uniquess in a netgroup subtree > >> cn=ng,cn=alt,dc=example,dc=com: > >> > >> dn: cn=netgroup uniqueness,cn=plugins,cn=config > >> objectClass: top > >> objectClass: nsSlapdPlugin > >> objectClass: extensibleObject > >> cn: netgroup uniqueness > >> nsslapd-pluginPath: libattr-unique-plugin > >> nsslapd-pluginInitfunc: NSUniqueAttr_Init > >> nsslapd-pluginType: preoperation > >> nsslapd-pluginEnabled: on > >> nsslapd-pluginarg0: cn > >> nsslapd-pluginarg1: cn=ng,cn=alt,dc=example,dc=com > >> nsslapd-plugin-depends-on-type: database > >> nsslapd-pluginId: NSUniqueAttr > >> nsslapd-pluginVersion: 1.2.9.14 > >> nsslapd-pluginVendor: 389 Project > >> nsslapd-pluginDescription: Enforce unique attribute values > >> > >> I believe the markerObjectClass and requiredObjectClass are not designed > >> to be mixed with the suffix or subtree definitions of the attribute > >> uniqueness plug-in, for markerObjectClass. > >> The subtree is defined by location of marker object class, or its parent > >> entry, so if the scope is controlled with requiredObjectClass > >> groupofuniquenames it may parse entries in both subtrees internal and > >> external in your example. > >> It seem to me you cannot use both definitions, but I could be wrong. > >> > >> Reference: > >> ldap/servers/plugins/uiduniq/uid.c > >> and > >> 5.1.4.2. Specifying One Attribute and Multiple Subtrees > >> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/pdf/Administration_Guide/Red_Hat_Directory_Server-9.0-Administration_Guide-en-US.pdf > >> > >> M. > > Thank you, Marc. That's how I read it, too, unfortunately. > > > > I wonder if there is another way around our real problem. Using the > > same example as above: > > O=Internal,DC=mycompany,DC=com > > O=External,DC=mycompany,DC=com > > > > we need to create subtree password policies for various OUs under > > O=Internal which is also where we need cn uniqueness for groups. The > > problem, I think, is that we need nsContainer objects at each OU with a > > password policy where the cn is specifically "nsPwPolicyContainer". > > Since that is the cn for several different objects, we are getting > > duplicate errors on all attempts to create the custom password policy > > after the first one. I assume there is no way to exempt a specific > > object from a uniqueness constraint, is there? Thanks - John > > > ><snip>It may make the db topology more complicated, but how about making > O=Internal and O=External sub suffixes of DC=mycompany,DC=com? > > That way you could make these 2 trees independent from each other... > > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Configuring_Directory_Databases.html > --noriko <snip> Interesting. So you are saying that, by splitting the database, I can use a markerObject uniqueness plugin for organzations in O=Internal restricted to groups and not have it affect O=External because that is a separate database? Yet I would be able to search globally by searching at the top level dc=mycompany,dc=com level? Hmm . . . but if the plugin is held in config, how does it know to apply to one suffix and not another if I am using markerObjects? Thanks - John -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
