51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER START
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! This work is licensed under the Creative Commons
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! To view a copy of this license, visit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! or send a letter to Creative Commons, 444 Castro Street,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Suite 900, Mountain View, California, 94041, USA.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! You can also obtain a copy of the license at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! See the License for the specific language governing permissions
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! and limitations under the License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! If applicable, add the following below this CCPL HEADER, with the fields
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! enclosed by brackets "[]" replaced with your own identifying information:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Portions Copyright [yyyy] [name of copyright owner]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER END
08248b5c5b494aff8d1922e8e0b5777796d7450dmark ! Copyright 2011-2014 ForgeRock AS
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Some attribute values ought to remain unique. If you are using
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid</literal> values as RDNs to distinguish between millions of
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark user entries stored under <literal>ou=People</literal>, then you do not
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark want your directory to contain two or more identical
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid</literal> values. If your credit card or mobile number is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark stored as an attribute value on your directory entry, you certainly do not
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark want to share that credit card or mobile number with another customer.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The same is true for your email address.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Unique attribute values</primary></indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The difficulty for you as directory administrator lies in
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark implementing attribute value uniqueness without sacrificing the high
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark availability that comes from using OpenDJ's loosely consistent,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark multi-master data replication. Indeed OpenDJ's replication model lets
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you maintain write access during network outages for directory
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark applications. Yet, write access during a network outage can result in the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark same, theoretically unique attribute value getting assigned to two different
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entries at once. You do not notice the problem until the network outage
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark goes away and replication resumes.</para>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <itemizedlist>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>This chapter shows you how to set up attribute value uniqueness
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark in your directory environment with the following procedures.</para>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <listitem><para><xref linkend="enable-unique-uids" /></para></listitem>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <listitem><para><xref linkend="enable-unique-attributes" /></para></listitem>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <listitem><para><xref linkend="unique-attributes-scoped" /></para></listitem>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <listitem><para><xref linkend="unique-attributes-repl" /></para></listitem>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark </itemizedlist>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>OpenDJ directory server uses the unique attribute plugin to handle
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark attribute value uniqueness. As shown in the examples in this chapter, you
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark can configure the unique attribute plugin to handle one or more attributes
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark and to handle entries under one or more base DNs. You can also configure
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark multiple instances of the plugin for the same OpenDJ directory server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ provides a unique attribute plugin that you configure by using
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the <command>dsconfig</command> command. By default, the plugin is prepared
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to ensure attribute values are unique for <literal>uid</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attributes.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Set the base DN where <literal>uid</literal> should have unique
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark values, and enable the plugin.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-plugin-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --plugin-name "UID Unique Attribute" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set base-dn:ou=people,dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Alternatively, you can specify multiple base DNs for unique values
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark across multiple suffixes.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-plugin-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDn "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --plugin-name "UID Unique Attribute" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --add base-dn:ou=people,dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --add base-dn:ou=people,dc=example,dc=org \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Check that the plugin is working correctly.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkuid: bjensen</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMODIFY operation failed
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkResult Code: 19 (Constraint Violation)
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkAdditional Information: A unique attribute conflict was detected for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute uid: value bjensen already exists in entry
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=bjensen,ou=People,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you have set up multiple suffixes, you might try something like
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark this.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=org
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: person
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: organizationalPerson
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: inetOrgPerson
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkuid: bjensen</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for uid=bjensen,ou=People,dc=example,dc=org
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkADD operation failed
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkResult Code: 19 (Constraint Violation)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAdditional Information: A unique attribute conflict was detected for attribute
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid: value bjensen already exists in entry
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=bjensen,ou=People,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Enable Unique Values For Other Attributes</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can also configure the unique attribute plugin for use with
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark other attributes, such as <literal>mail</literal>, <literal>mobile</literal>,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark or attributes you define, for example <literal>cardNumber</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Before you set up the plugin, index the attribute for equality.</para>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>See <link xlink:show="new" xlink:href="admin-guide#configure-indexes"
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Configuring &
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark Rebuilding Indexes</citetitle></link> for instructions.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Set up the plugin configuration for your attribute.</para>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>You can either add the attribute to an existing plugin configuration,
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark or create a new plugin configuration including the attribute.</para>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>When choosing between these alternatives, keep in mind that values
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark must be unique across the attributes and base DNs specified in each
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark plugin configuration. Therefore only group attributes together in the
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark same configuration if you want each value to be unique for all
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark attributes. For example, you might create a single plugin configuration
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark for telephone, fax, mobile, and pager numbers. As an alternative
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark example, suppose user IDs are numeric, that user entries also specify
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <literal>uidNumber</literal>, and that user IDs are normally the same as
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark their <literal>uidNumber</literal>s. In that case you create separate
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark unique attribute configurations for <literal>uid</literal> and
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <stepalternatives>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>If you want to add the attribute to an existing plugin
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark configuration, do so as shown in the following example which uses the
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark plugin configuration from <xref linkend="enable-unique-uids" />.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-plugin-prop \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --plugin-name "UID Unique Attribute" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --add type:mobile \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>If you want to create a new plugin configuration, do so as shown in
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark the following example.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark $ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-plugin \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --plugin-name "Unique mobile numbers" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type unique-attribute \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set base-dn:ou=people,dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set type:mobile \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark </stepalternatives>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Check that the plugin is working correctly.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: mobile
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmobile: +1 828 555 1212
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: mobile
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkmobile: +1 828 555 1212</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMODIFY operation successful for DN uid=ajensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMODIFY operation failed
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkResult Code: 19 (Constraint Violation)
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAdditional Information: A unique attribute conflict was detected for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute mobile: value +1 828 555 1212 already exists in entry
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=ajensen,ou=People,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>In some cases you need attribute uniqueness separately for different
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark base DNs in your directory. For example, you need all <literal>uid</literal>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark values to remain unique both for users in <literal>dc=example,dc=com</literal>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark and <literal>dc=example,dc=org</literal>, but it is not a problem to have
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark one entry under each base DN with the same user ID as the organizations are
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark separate. The following steps demonstrate how to limit the scope of uniqueness
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark by creating separate configuration entries for the unique attribute
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark plugin.</para>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>If the attribute you target is not indexed for equality by default,
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark index the attribute for equality.</para>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>See <link xlink:show="new" xlink:href="admin-guide#configure-indexes"
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Configuring &
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark Rebuilding Indexes</citetitle></link> for instructions.</para>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>The examples in this procedure target the user ID attribute,
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <literal>uid</literal>, which is indexed for equality by default.</para>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>For each base DN, set up a configuration entry that ensures the
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark target attribute values are unique.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-plugin \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --plugin-name "Unique Example.com UIDs" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type unique-attribute \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set base-dn:dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set type:uid \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-plugin \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --plugin-name "Unique Example.org UIDs" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type unique-attribute \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set base-dn:dc=example,dc=org \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set type:uid \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>Check that the plugin is working correctly.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=unique,ou=People,dc=example,dc=com
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markuid: unique
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markgivenName: Unique
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: person
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: organizationalPerson
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: inetOrgPerson
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: top
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markcn: Unique Person
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markuserPassword: 1Mun1qu3
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markdn: uid=unique,ou=People,dc=example,dc=org
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markuid: unique
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markgivenName: Unique
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: person
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: organizationalPerson
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: inetOrgPerson
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: top
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markcn: Unique Person
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markuserPassword: 1Mun1qu3
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markdn: uid=copycat,ou=People,dc=example,dc=com
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markuid: unique
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markuid: copycat
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markgivenName: Copycat
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: person
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: organizationalPerson
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: inetOrgPerson
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: top
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markcn: Copycat Person
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkuserPassword: copycopy</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for uid=unique,ou=People,dc=example,dc=com
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markADD operation successful for DN uid=unique,ou=People,dc=example,dc=com
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markProcessing ADD request for uid=unique,ou=People,dc=example,dc=org
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markADD operation successful for DN uid=unique,ou=People,dc=example,dc=org
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markProcessing ADD request for uid=copycat,ou=People,dc=example,dc=com
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markADD operation failed
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markResult Code: 19 (Constraint Violation)
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markAdditional Information: A unique attribute conflict was detected for
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark attribute uid: value unique already exists in entry
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=unique,ou=People,dc=example,dc=com</computeroutput>
88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Ensure Unique Attribute Values With Replication</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The unique attribute plugin ensures unique attribute values on the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory server where the attribute value is updated. If client applications
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark separately write the same attribute value at the same time on different
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory replicas, it is possible that both servers consider the duplicate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark value unique, especially if the network is down between the replicas.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Enable the plugin identically on all replicas.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To avoid duplicate values where possible, try one of the following
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark solutions.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <stepalternatives>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Use a load balancer or proxy technology to direct all updates
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to the unique attribute to the same directory server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The drawback here is the need for an additional component to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark direct the updates to the same server, and to manage failover should that
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server go down.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Configure safe read mode assured replication between replicas
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark storing the unique attribute.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The drawbacks here are the cost of safe read assured replication,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and the likelihood that assured replication can enter degraded mode during
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a network outage, thus continuing to allow updates during the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark outage.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </stepalternatives>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>