Re: Unique overlay confusing

[Quanah Gibson-Mount <quanah@symas.com>]

--On Thursday, August 09, 2018 9:51 AM +0200 Ervin Hegedüs 
<airween@gmail.com> wrote:


> > olcUniqueURI: ldap:///?uid?sub?
> > olcUniqueURI: ldap:///?mail?sub?
> > olcUniqueURI: ldap:///?uidNumber?sub?
> > olcUniqueURI: ldap:///?sn?sub?
> > olcUniqueURI: ldap:///?cn?sub?
> > olcUniqueURI: ldaps:///?uid?sub?
> > olcUniqueURI: ldaps:///?mail?sub?
> > olcUniqueURI: ldaps:///?uidNumber?sub?
> > olcUniqueURI: ldaps:///?sn?sub?
> > olcUniqueURI: ldaps:///?cn?sub?

Using "ldaps://" here is invalid.  These are internal searches that don't 
use the LDAP protocol.

One thing you've not shown in your configurations is whether or not the 
{1}mdb,cn=config DB has a rootdn configured for that database instance.  As 
noted in the man page, a rootdn is required on the specific database 
instance for the overlay to function:

"       The search is performed using the rootdn  of  the  database,  to 
avoid
      issues with ACLs preventing the overlay from seeing all of the 
relevant
      data. As such, the database must have a rootdn configured."

Additionaly, you haven't noted how you are making the modifications to add 
the duplicate entries. Again, as noted in the man page:

"      Replication  and  operations  with  manageDsaIt  control are allowed 
to
      bypass this enforcement. It is therefore  important  that  all 
servers
      accepting  writes  have  this  overlay  configured in order to 
maintain
      uniqueness in a replicated DIT.."

So it is possible the LDAP client you are using to make the modifications 
is setting the manageDsaIT control.

Warm regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>