Some attribute values ought to remain unique. If you are using
uid values as RDNs to distinguish between millions of
user entries stored under ou=People, then you do not
want your directory to contain two or more identical
uid values. If your credit card or mobile number is
stored as an attribute value on your directory entry, you certainly do not
want to share that credit card or mobile number with another customer.
The same is true for your email address.
The difficulty for you as directory administrator lies in implementing attribute value uniqueness without sacrificing the high availability that comes from using OpenDJ's loosely consistent, multi-master data replication. Indeed OpenDJ's replication model lets you maintain write access during network outages for directory applications. Yet, write access during a network outage can result in the same, theoretically unique attribute value getting assigned to two different entries at once. You do not notice the problem until the network outage goes away and replication resumes.
This chapter shows you how to set up attribute value uniqueness in your directory environment.
Procedure 15.1. To Enable Unique UIDs
OpenDJ provides a unique attribute plugin that you configure by using
the dsconfig command. By default, the plugin is prepared
to ensure attribute values are unique for uid
attributes.
-
Set the base DN where
uidshould have unique values, and enable the plugin.$ dsconfig set-plugin-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --plugin-name "UID Unique Attribute" --set base-dn:ou=people,dc=example,dc=com --set enabled:true --trustAll --no-prompt
Alternatively, you can specify multiple base DNs for unique values across multiple suffixes.
$ dsconfig set-plugin-prop --port 4444 --hostname opendj.example.com --bindDn "cn=Directory Manager" --bindPassword password --plugin-name "UID Unique Attribute" --set enabled:true --add base-dn:ou=people,dc=example,dc=com --add base-dn:ou=people,dc=example,dc=org --trustAll --no-prompt
-
Check that the plugin is working correctly.
$ cat bjensen.ldif dn: uid=ajensen,ou=People,dc=example,dc=com changetype: modify add: uid uid: bjensen $ ldapmodify --defaultAdd --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --filename bjensen.ldif Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com MODIFY operation failed Result Code: 19 (Constraint Violation) Additional Information: A unique attribute conflict was detected for \ attribute uid: value bjensen already exists in entry uid=bjensen,ou=People,dc=example,dc=com
If you have set up multiple suffixes, you might try something like this.
$ cat bjensen.ldif dn: uid=bjensen,ou=People,dc=example,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Babs sn: Jensen uid: bjensen $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename bjensen.ldif Processing ADD request for uid=bjensen,ou=People,dc=example,dc=org ADD operation failed Result Code: 19 (Constraint Violation) Additional Information: A unique attribute conflict was detected for attribute uid: value bjensen already exists in entry uid=bjensen,ou=People,dc=example,dc=com
Procedure 15.2. To Enable Unique Values For Other Attributes
You can also configure the unique attribute plugin for use with
other attributes, such as mail, mobile,
or attributes you define, for example cardNumber.
-
Before you set up the plugin, index the attribute for equality.
-
Set up the plugin configuration for your attribute.
$ dsconfig create-plugin --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --plugin-name "Unique mobile numbers" --type unique-attribute --set enabled:true --set base-dn:ou=people,dc=example,dc=com --set type:mobile --trustAll --no-prompt
-
Check that the plugin is working correctly.
$ cat mobile.ldif dn: uid=ajensen,ou=People,dc=example,dc=com changetype: modify add: mobile mobile: +1 828 555 1212 dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify add: mobile mobile: +1 828 555 1212 $ ldapmodify --defaultAdd --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --filename mobile.ldif Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=ajensen,ou=People,dc=example,dc=com Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com MODIFY operation failed Result Code: 19 (Constraint Violation) Additional Information: A unique attribute conflict was detected for attribute mobile: value +1 828 555 1212 already exists in entry uid=ajensen,ou=People,dc=example,dc=com
Procedure 15.3. To Ensure Unique Attribute Values With Replication
The unique attribute plugin ensures unique attribute values on the directory server where the attribute value is updated. If client applications separately write the same attribute value at the same time on different directory replicas, it is possible that both servers consider the duplicate value unique, especially if the network is down between the replicas.
-
Enable the plugin identically on all replicas.
-
To avoid duplicate values where possible, try one of the following solutions.
-
Use a load balancer or proxy technology to direct all updates to the unique attribute to the same directory server.
The drawback here is the need for an additional component to direct the updates to the same server, and to manage failover should that server go down.
-
Configure safe read mode assured replication between replicas storing the unique attribute.
The drawbacks here are the cost of safe read assured replication, and the likelihood that assured replication can enter degraded mode during a network outage, thus continuing to allow updates during the outage.
-
