slapo-constraint - Attribute Constraint Overlay to slapd
SYNOPSIS
/etc/ldap/slapd.conf
DESCRIPTION
The constraint overlay is used to ensure that attribute values match
some constraints beyond basic LDAP syntax. Attributes can
have multiple constraints placed upon them, and all must be satisfied
when modifying an attribute value under constraint.
This overlay is intended to be used to force syntactic regularity upon
certain string represented data which have well known canonical forms,
like telephone numbers, post codes, FQDNs, etc.
It constrains only LDAP add, modify and rename commands
and only seeks to control the add and replace values
of modify and rename requests.
No constraints are applied for operations performed with the
relax
control set.
CONFIGURATION
This
slapd.conf
option applies to the constraint overlay.
It should appear after the
overlay
directive.
Specifies the constraint which should apply to the comma-separated
attribute list named as the first parameter.
Five types of constraint are currently supported -
regex,
size,
count,
uri,
and
set.
The parameter following the
regex
type is a Unix style regular expression (See
regex(7)
). The parameter following the
uri
type is an LDAP URI. The URI will be evaluated using an internal search.
It must not include a hostname, and it must include a list of attributes
to evaluate.
The parameter following the
set
type is a string that is interpreted according to the syntax in use
for ACL sets. This allows to construct constraints based on the contents
of the entry.
The
size
type can be used to enforce a limit on an attribute length, and the
count
type limits the number of values of an attribute.
Extra parameters can occur in any order after those described above.
<extra> : restrict=<uri>
This extra parameter allows to restrict the application of the corresponding
constraint only to entries that match the
base,
scope
and
filter
portions of the LDAP URI.
The
base,
if present, must be within the naming context of the database.
The
scope
is only used when the
base
is present; it defaults to
base.
The other parameters of the URI are not allowed.
Any attempt to add or modify an attribute named as part of the
constraint overlay specification which does not fit the
constraint listed will fail with a
LDAP_CONSTRAINT_VIOLATION error.
A specification like the above would reject any
mail
attribute which did not look like
<alpha-numeric string>@mydomain.com.
It would also reject any
title
attribute whose values were not listed in the
title
attribute of any
titleCatalog
entries in the given scope. (Note that the
"dc=catalog,dc=example,dc=com" subtree ought to reside
in a separate database, otherwise the initial set of
titleCatalog entries could not be populated while the
constraint is in effect.)
Finally, it requires the values of the attribute
cn
to be constructed by pairing values of the attributes
sn
and
givenName,
separated by a space, but only for entries derived from the objectClass
inetOrgPerson.
This module was written in 2005 by Neil Dunbar of Hewlett-Packard and subsequently
extended by Howard Chu and Emmanuel Dreyfus.
OpenLDAP Software
is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>.
OpenLDAP Software
is derived from University of Michigan LDAP 3.3 Release.