[Date Prev][Date Next]
(ITS#6825) unique_uri filter reaching beyond its intended target
Full_Name: Kartik Subbarao
OS: Debian Linux 5.0.5
Submission from: (NULL) (18.104.22.168)
I have the uniqueness overlay configured as follows in slapd.conf:
The policy I want to enforce is that all posixGroup entries must have a unique
gidNumber attribute. At the same time, I want to *allow* non-posixGroup entries
(such as inetOrgPerson) to have the same gidNumber attribute that a posixGroup
entry has. This is so that a user can have a login group id set to that of an
With the above configuration in place, if I create a posixGroup entry with
gidNumber 389, and then try to add a gidNumber attribute of 389 to an
inetOrgPerson entry, the operation fails with a constraint error "some
attributes not unique".
As I read the manpage for slapo-unique, the unique_uri filter seems to support
the functionality that I want:
The filter component causes the domain to apply uniqueness constraints only to
matching objects. e.g. ldap:///?cn?sub?(sn=e*) would require unique cn
all objects in the subtree of the back-end database whose sn starts with an e.
I'm inferring from this that uniqueness constraints on the cn attribute would
*not* be applied to objects that don't match the filter. But that doesn't seem
to be happening here. Is this a bug in the uniqueness overlay or am I not
understanding the implementation?