[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Uniqueness constraint over multiple attributes

On Wed, Jun 20, 2012 at 06:43:22PM +0200, Michael Ströder wrote:

> Jan Beerden wrote:
> > Is there a way to have a unique constraint over multiple attributes? We have
> > different attributes for the primary email address of a person, and for
> > additional aliases, and we'd like to enforce global uniqueness in such a way
> > that the primary email address for one person can not be used as an email
> > alias for another person.
> > 
> > The slapo-unique manpage doesn't make this very clear.
> You can simply specify multiple attrs.

> unique_uri "ldap:///o=myorg?uid,uidNumber?sub?(objectClass=*)"

That will not have the effect that is required in this case.
Each attribute listed in the unique_uri is enforced separately, so in
the example above, all uid values would be unique, and all uidNumber
values would be unique, but it would be quite possible to have a uid
in one entry the same as the uidNumber in a different one.

To achieve what Jan wants, I would consider requiring the primary
email address to also be listed as one of the aliases. A uniqueness
constraint like this would then protect against one entry hijacking
the address of another:

overlay unique
unique_uri "ldap:///o=myorg?primaryMail,aliasMail?sub?(objectClass=mailUser)"

The requirement for the primaryMail value to also appear as an
aliasMail value could be enforced using the constraint overlay with
the 'set' mechanism, something like:

overlay constraint
constraint_attribute primaryMail,aliasMail set
	"this/primaryMail & this/aliasMail"

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |