51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<?xml version="1.0" encoding="UTF-8"?>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<chapter xml:id='chap-attribute-uniqueness'

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'

08248b5c5b494aff8d1922e8e0b5777796d7450dmark xsi:schemaLocation='http://docbook.org/ns/docbook

08248b5c5b494aff8d1922e8e0b5777796d7450dmark xmlns:xlink='http://www.w3.org/1999/xlink'>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Implementing Attribute Value Uniqueness</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Some attribute values ought to remain unique. If you are using

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid</literal> values as RDNs to distinguish between millions of

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark user entries stored under <literal>ou=People</literal>, then you do not

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark want your directory to contain two or more identical

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid</literal> values. If your credit card or mobile number is

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark stored as an attribute value on your directory entry, you certainly do not

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark want to share that credit card or mobile number with another customer.

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark The same is true for your email address.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Unique attribute values</primary></indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The difficulty for you as directory administrator lies in

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark implementing attribute value uniqueness without sacrificing the high

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark availability that comes from using OpenDJ's loosely consistent,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark multi-master data replication. Indeed OpenDJ's replication model lets

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you maintain write access during network outages for directory

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark applications. Yet, write access during a network outage can result in the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark same, theoretically unique attribute value getting assigned to two different

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entries at once. You do not notice the problem until the network outage

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark goes away and replication resumes.</para>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <itemizedlist>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>This chapter shows you how to set up attribute value uniqueness

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark in your directory environment with the following procedures.</para>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <listitem><para><xref linkend="enable-unique-uids" /></para></listitem>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <listitem><para><xref linkend="enable-unique-attributes" /></para></listitem>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <listitem><para><xref linkend="unique-attributes-scoped" /></para></listitem>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <listitem><para><xref linkend="unique-attributes-repl" /></para></listitem>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark </itemizedlist>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>OpenDJ directory server uses the unique attribute plugin to handle

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark attribute value uniqueness. As shown in the examples in this chapter, you

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark can configure the unique attribute plugin to handle one or more attributes

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark and to handle entries under one or more base DNs. You can also configure

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark multiple instances of the plugin for the same OpenDJ directory server.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="enable-unique-uids">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Enable Unique UIDs</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ provides a unique attribute plugin that you configure by using

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the <command>dsconfig</command> command. By default, the plugin is prepared

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to ensure attribute values are unique for <literal>uid</literal>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attributes.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Set the base DN where <literal>uid</literal> should have unique

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark values, and enable the plugin.</para>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-plugin-prop \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --plugin-name "UID Unique Attribute" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set base-dn:ou=people,dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Alternatively, you can specify multiple base DNs for unique values

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark across multiple suffixes.</para>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-plugin-prop \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDn "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --plugin-name "UID Unique Attribute" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --add base-dn:ou=people,dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --add base-dn:ou=people,dc=example,dc=org \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Check that the plugin is working correctly.</para>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cat bjensen.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: uid

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkuid: bjensen</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --filename bjensen.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMODIFY operation failed

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkResult Code: 19 (Constraint Violation)

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkAdditional Information: A unique attribute conflict was detected for

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute uid: value bjensen already exists in entry

08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=bjensen,ou=People,dc=example,dc=com</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>If you have set up multiple suffixes, you might try something like

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark this.</para>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cat bjensen.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=org

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: person

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: organizationalPerson

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: inetOrgPerson

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Babs

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksn: Jensen

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkuid: bjensen</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --filename bjensen.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for uid=bjensen,ou=People,dc=example,dc=org

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkADD operation failed

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkResult Code: 19 (Constraint Violation)

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAdditional Information: A unique attribute conflict was detected for attribute

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark uid: value bjensen already exists in entry

08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=bjensen,ou=People,dc=example,dc=com</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="enable-unique-attributes">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Enable Unique Values For Other Attributes</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You can also configure the unique attribute plugin for use with

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark other attributes, such as <literal>mail</literal>, <literal>mobile</literal>,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark or attributes you define, for example <literal>cardNumber</literal>.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Before you set up the plugin, index the attribute for equality.</para>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>See <link xlink:show="new" xlink:href="admin-guide#configure-indexes"

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Configuring &amp;

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark Rebuilding Indexes</citetitle></link> for instructions.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Set up the plugin configuration for your attribute.</para>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>You can either add the attribute to an existing plugin configuration,

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark or create a new plugin configuration including the attribute.</para>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>When choosing between these alternatives, keep in mind that values

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark must be unique across the attributes and base DNs specified in each

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark plugin configuration. Therefore only group attributes together in the

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark same configuration if you want each value to be unique for all

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark attributes. For example, you might create a single plugin configuration

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark for telephone, fax, mobile, and pager numbers. As an alternative

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark example, suppose user IDs are numeric, that user entries also specify

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <literal>uidNumber</literal>, and that user IDs are normally the same as

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark their <literal>uidNumber</literal>s. In that case you create separate

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark unique attribute configurations for <literal>uid</literal> and

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <literal>uidNumber</literal>.</para>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <stepalternatives>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <step>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>If you want to add the attribute to an existing plugin

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark configuration, do so as shown in the following example which uses the

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark plugin configuration from <xref linkend="enable-unique-uids" />.</para>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark set-plugin-prop \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --plugin-name "UID Unique Attribute" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --add type:mobile \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark </step>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <step>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>If you want to create a new plugin configuration, do so as shown in

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark the following example.</para>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark $ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-plugin \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --plugin-name "Unique mobile numbers" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type unique-attribute \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set base-dn:ou=people,dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set type:mobile \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark </step>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark </stepalternatives>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Check that the plugin is working correctly.</para>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cat mobile.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: mobile

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmobile: +1 828 555 1212

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=bjensen,ou=People,dc=example,dc=com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: mobile

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkmobile: +1 828 555 1212</computeroutput>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --filename mobile.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMODIFY operation successful for DN uid=ajensen,ou=People,dc=example,dc=com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkProcessing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkMODIFY operation failed

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkResult Code: 19 (Constraint Violation)

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkAdditional Information: A unique attribute conflict was detected for

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute mobile: value +1 828 555 1212 already exists in entry

08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=ajensen,ou=People,dc=example,dc=com</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <procedure xml:id="unique-attributes-scoped">

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <title>To Limit The Scope of Uniqueness</title>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>In some cases you need attribute uniqueness separately for different

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark base DNs in your directory. For example, you need all <literal>uid</literal>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark values to remain unique both for users in <literal>dc=example,dc=com</literal>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark and <literal>dc=example,dc=org</literal>, but it is not a problem to have

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark one entry under each base DN with the same user ID as the organizations are

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark separate. The following steps demonstrate how to limit the scope of uniqueness

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark by creating separate configuration entries for the unique attribute

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark plugin.</para>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <step>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>If the attribute you target is not indexed for equality by default,

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark index the attribute for equality.</para>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>See <link xlink:show="new" xlink:href="admin-guide#configure-indexes"

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Configuring &amp;

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark Rebuilding Indexes</citetitle></link> for instructions.</para>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>The examples in this procedure target the user ID attribute,

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <literal>uid</literal>, which is indexed for equality by default.</para>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark </step>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <step>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>For each base DN, set up a configuration entry that ensures the

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark target attribute values are unique.</para>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-plugin \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --plugin-name "Unique Example.com UIDs" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type unique-attribute \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set base-dn:dc=example,dc=com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set type:uid \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-plugin \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --plugin-name "Unique Example.org UIDs" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type unique-attribute \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set enabled:true \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set base-dn:dc=example,dc=org \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set type:uid \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark </step>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <step>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark <para>Check that the plugin is working correctly.</para>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark <screen>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cat uniq-ids.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=unique,ou=People,dc=example,dc=com

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markuid: unique

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markgivenName: Unique

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: person

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: organizationalPerson

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: inetOrgPerson

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: top

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markcn: Unique Person

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72marksn: Person

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markuserPassword: 1Mun1qu3

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markdn: uid=unique,ou=People,dc=example,dc=org

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markuid: unique

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markgivenName: Unique

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: person

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: organizationalPerson

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: inetOrgPerson

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: top

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markcn: Unique Person

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72marksn: Person

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markuserPassword: 1Mun1qu3

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markdn: uid=copycat,ou=People,dc=example,dc=com

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markuid: unique

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markuid: copycat

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markgivenName: Copycat

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: person

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: organizationalPerson

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: inetOrgPerson

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markobjectClass: top

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markcn: Copycat Person

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72marksn: Person

08248b5c5b494aff8d1922e8e0b5777796d7450dmarkuserPassword: copycopy</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark

08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \

08248b5c5b494aff8d1922e8e0b5777796d7450dmark --filename uniq-ids.ldif</userinput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for uid=unique,ou=People,dc=example,dc=com

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markADD operation successful for DN uid=unique,ou=People,dc=example,dc=com

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markProcessing ADD request for uid=unique,ou=People,dc=example,dc=org

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markADD operation successful for DN uid=unique,ou=People,dc=example,dc=org

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markProcessing ADD request for uid=copycat,ou=People,dc=example,dc=com

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markADD operation failed

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markResult Code: 19 (Constraint Violation)

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72markAdditional Information: A unique attribute conflict was detected for

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark attribute uid: value unique already exists in entry

08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=unique,ou=People,dc=example,dc=com</computeroutput>

08248b5c5b494aff8d1922e8e0b5777796d7450dmark </screen>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark </step>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark </procedure>

88db4ebbe0cc7a82fb1621c7c56a8dcf80f00f72mark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <procedure xml:id="unique-attributes-repl">

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Ensure Unique Attribute Values With Replication</title>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <primary>Replication</primary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <secondary>Unique attributes</secondary>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The unique attribute plugin ensures unique attribute values on the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory server where the attribute value is updated. If client applications

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark separately write the same attribute value at the same time on different

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark directory replicas, it is possible that both servers consider the duplicate

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark value unique, especially if the network is down between the replicas.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Enable the plugin identically on all replicas.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>To avoid duplicate values where possible, try one of the following

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark solutions.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <stepalternatives>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Use a load balancer or proxy technology to direct all updates

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to the unique attribute to the same directory server.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The drawback here is the need for an additional component to

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark direct the updates to the same server, and to manage failover should that

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server go down.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Configure safe read mode assured replication between replicas

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark storing the unique attribute.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The drawbacks here are the cost of safe read assured replication,

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark and the likelihood that assured replication can enter degraded mode during

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a network outage, thus continuing to allow updates during the

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark outage.</para>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </stepalternatives>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </step>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark</chapter>