[Date Prev][Date Next]
Re: Unique overlay usage with filter
Kyle Blaney wrote:
I'm using the unique overlay in OpenLDAP 2.4.16 and finding it too easy
to violate the uniqueness constraints I have defined.
For example, if I have the following in my slapd.conf (taken from
slapo-unique man page):
I can violate the uniqueness constraints as follows:
1. Add an entry with cn=a and sn=e.
2. Add a second entry with cn=a and sn=f.
3. Modify the sn of the second entry so that sn=e.
The attribute modification succeeds but causes a violation of the
Is there any way to configure OpenLDAP so that the attribute
modification fails due to a constraint violation?
How did you configure slapo-unique(5)? Is it global, or rooted at an
empty DN database? Note that it requires a rootdn to be configured for
the database it's instantiated for.
According to your configuration, it is not working for a specific
searchbase (the "dn" part of your URI is empty), so it might be that the
identity it is running as does not have enough privileges to see the
attributes it is supposed to constrain when they are across databases.
You should probably post your entire slapd.conf or back-config contents
(make sure you remove sensitive information like passwords).