[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6825) unique_uri filter reaching beyond its intended target

Full_Name: Kartik Subbarao
Version: 2.4.23
OS: Debian Linux 5.0.5
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

I have the uniqueness overlay configured as follows in slapd.conf:

overlay unique
unique_uri ldap:///?gidNumber?sub?(objectClass=posixGroup)

The policy I want to enforce is that all posixGroup entries must have a unique
gidNumber attribute. At the same time, I want to *allow* non-posixGroup entries
(such as inetOrgPerson) to have the same gidNumber attribute that a posixGroup
entry has. This is so that a user can have a login group id set to that of an
existing group.

With the above configuration in place, if I create a posixGroup entry with
gidNumber 389, and then try to add a gidNumber attribute of 389 to an
inetOrgPerson entry, the operation fails with a constraint error "some
attributes not unique".

As I read the manpage for slapo-unique, the unique_uri filter seems to support
the functionality that I want:

The filter component causes the domain to apply uniqueness constraints only to  
   matching objects. e.g. ldap:///?cn?sub?(sn=e*) would require unique cn
attributes for
all objects in the subtree of the back-end database whose sn starts with an e.

I'm inferring from this that uniqueness constraints on the cn attribute would
*not* be applied to objects that don't match the filter. But that doesn't seem
to be happening here. Is this a bug in the uniqueness overlay or am I not
understanding the implementation?