Unique attributes in OpenDJ
Sometimes you need to set some attributes as unique, for example: if LDAP contains system users, then uid attribute shouldn’t repeat in whole system.
OpenDJ is equipped with proper plugin, but it’s not enabled by default. In case of mail system, attribute mail should be unique. Here we don’t have ready to use plugin, but we can easily create it basing on UID Unique Attribute and this description and this one.
But I didn’t make this post to send you to other pages. I would like to show you how to add Plugin with dsconfig and how to copy it to replica with LDIF export/import.
root@ldapdj1:~# dsconfig -D cn=dirmgr -h localhost -p 4444 -X
>>>> Specify OpenDS LDAP connection parameters
Password for user 'cn=dirmgr':
>>>> OpenDS configuration console main menu
What do you want to configure?
1) Access Control Handler 23) Log Rotation Policy
2) Account Status Notification Handler 24) Matching Rule
3) Administration Connector 25) Monitor Provider
4) Alert Handler 26) Network Group
5) Attribute Syntax 27) Network Group QOS Policy
6) Backend 28) Password Generator
7) Certificate Mapper 29) Password Policy
8) Connection Handler 30) Password Storage Scheme
9) Crypto Manager 31) Password Validator
10) Debug Target 32) Plugin
11) Entry Cache 33) Plugin Root
12) Extended Operation Handler 34) Replication Domain
13) Extension 35) Replication Server
14) External Changelog Domain 36) Root DN
15) Global Configuration 37) Root DSE Backend
16) Group Implementation 38) SASL Mechanism Handler
17) Identity Mapper 39) Synchronization Provider
18) Key Manager Provider 40) Trust Manager Provider
19) Local DB Index 41) Virtual Attribute
20) Local DB VLV Index 42) Work Queue
21) Log Publisher 43) Workflow
22) Log Retention Policy 44) Workflow Element
q) quit
Enter choice: 32
>>>> Plugin management menu
What would you like to do?
1) List existing Plugins
2) Create a new Plugin
3) View and edit an existing Plugin
4) Delete an existing Plugin
b) back
q) quit
Enter choice [b]: 1
Plugin : Type : enabled
-----------------------------------:---------------------------------:--------
7-Bit Clean : seven-bit-clean : false
Change Number Control : change-number-control : true
Entry UUID : entry-uuid : true
Fractional Replication LDIF Import : fractional-ldif-import : true
LastMod : last-mod : true
LDAP Attribute Description List : ldap-attribute-description-list : true
Password Policy Import : password-policy-import : true
Profiler : profiler : true
Referential Integrity : referential-integrity : false
UID Unique Attribute : unique-attribute : false
As you can see above, the UID Unique Attribute plugin is not enabled. To enable it you just need to set enable to true. I will omit this step, let’s make a new plugin:
What would you like to do?
1) List existing Plugins
2) Create a new Plugin
3) View and edit an existing Plugin
4) Delete an existing Plugin
b) back
q) quit
Enter choice [b]: 2
>>>> Select the type of Plugin that you want to create:
1) Change Number Control Plugin 7) Password Policy Import
Plugin
2) Entry UUID Plugin 8) Profiler Plugin
3) Fractional LDIF Import Plugin 9) Referential Integrity
Plugin
4) Last Mod Plugin 10) Seven Bit Clean Plugin
5) LDAP Attribute Description List 11) Unique Attribute Plugin
Plugin
6) Network Group Plugin
?) help
c) cancel
q) quit
Enter choice : 11
>>>> Enter a name for the Unique Attribute Plugin that you want to create: Mail Unique Attribute
>>>> Configuring the "enabled" property
Indicates whether the plug-in is enabled for use.
Select a value for the "enabled" property:
1) true
2) false
?) help
c) cancel
q) quit
Enter choice : 1
>>>> Configuring the "type" property
Specifies the type of attributes to check for value uniqueness.
Syntax: OID
Enter a value for the "type" property: mail
Enter another value for the "type" property [continue]:
>>>> Configure the properties of the Unique Attribute Plugin
Property Value(s)
-----------------------------------------------------------------------
1) base-dn The plug-in uses the server's public naming contexts in the
searches.
2) enabled true
3) type mail
?) help
f) finish - create the new Unique Attribute Plugin
c) cancel
q) quit
Enter choice [f]:
The Unique Attribute Plugin was created successfully
Press RETURN to continue
Simple and intuitive, but I would like to pay attention that:
- you can create plugins for your own attributes, even when added to OpenDJ as schema extension
- attributes for which unique plugin is enable should be indexed for equality (eq)
If Multi-Master replication is configured you need to add also these plugins to second server. You can do this with dsconfig in interactive or non-interactive mode, but I think it will be faster and simpler with LDIF export/import. You can connect to LDAP with control-panel or other tool. Personally I’m using Eclipse with LDAP plugin, which I’m connecting to 4444 SSL port with base DN of cn=config. Now select proper branch cn=Plugins,cn=config, choose cn=Mail Unique Attribute and export to LDIF which be saved to disk as Mail-unique.ldif:
# cat Mail-unique.ldif
version: 1 dn: cn=Mail Unique Attribute,cn=Plugins,cn=config objectClass: ds-cfg-unique-attribute-plugin objectClass: ds-cfg-plugin objectClass: top cn: Mail Unique Attribute ds-cfg-enabled: true ds-cfg-java-class: org.opends.server.plugins.UniqueAttributePlugin ds-cfg-plugin-type: postoperationadd ds-cfg-plugin-type: postoperationmodify ds-cfg-plugin-type: postoperationmodifydn ds-cfg-plugin-type: postsynchronizationadd ds-cfg-plugin-type: postsynchronizationmodify ds-cfg-plugin-type: postsynchronizationmodifydn ds-cfg-plugin-type: preoperationadd ds-cfg-plugin-type: preoperationmodify ds-cfg-plugin-type: preoperationmodifydn ds-cfg-type: mail
Upload LDIF file to second server and import:
# ldapmodify -a -D cn=dirmgr -h localhost -X -f Mail-unique.ldif
Password for user 'cn=dirmgr': Processing ADD request for cn=Mail Unique Attribute,cn=Plugins,cn=config ADD operation successful for DN cn=Mail Unique Attribute,cn=Plugins,cn=config
You can also do this with GUI connected to second server, but I wanted to show you how to do this manually 🙂
