{"id":341,"date":"2011-07-25T15:31:01","date_gmt":"2011-07-25T15:31:01","guid":{"rendered":""},"modified":"2016-02-22T11:33:41","modified_gmt":"2016-02-22T10:33:41","slug":"unique-attributes-opendj","status":"publish","type":"post","link":"https:\/\/drfugazi.eu.org\/en\/unique-attributes-opendj\/","title":{"rendered":"Unique attributes in OpenDJ"},"content":{"rendered":"

Sometimes you need to set some attributes as unique, for example: if LDAP contains system users, then uid<\/code> attribute shouldn’t repeat in whole system.
\nOpenDJ is equipped with proper plugin, but it’s not enabled by default. In case of mail system, attribute mail<\/code> should be unique. Here we don’t have ready to use plugin, but we can easily create it basing on UID Unique Attribute<\/b> and this description<\/a> and this one<\/a>.<\/p>\n

But I didn’t make this post to send you to other pages. I would like to show you how to add Plugin with dsconfig<\/code> and how to copy it to replica with LDIF export\/import.
\n<\/p>\n

root@ldapdj1:~# dsconfig -D cn=dirmgr -h localhost -p 4444 -X<\/pre>\n
\r\n>>>> Specify OpenDS LDAP connection parameters\r\n\r\nPassword for user 'cn=dirmgr': \r\n\r\n>>>> OpenDS configuration console main menu\r\n\r\nWhat do you want to configure?\r\n\r\n    1)   Access Control Handler               23)  Log Rotation Policy\r\n    2)   Account Status Notification Handler  24)  Matching Rule\r\n    3)   Administration Connector             25)  Monitor Provider\r\n    4)   Alert Handler                        26)  Network Group\r\n    5)   Attribute Syntax                     27)  Network Group QOS Policy\r\n    6)   Backend                              28)  Password Generator\r\n    7)   Certificate Mapper                   29)  Password Policy\r\n    8)   Connection Handler                   30)  Password Storage Scheme\r\n    9)   Crypto Manager                       31)  Password Validator\r\n    10)  Debug Target                         32)  Plugin\r\n    11)  Entry Cache                          33)  Plugin Root\r\n    12)  Extended Operation Handler           34)  Replication Domain\r\n    13)  Extension                            35)  Replication Server\r\n    14)  External Changelog Domain            36)  Root DN\r\n    15)  Global Configuration                 37)  Root DSE Backend\r\n    16)  Group Implementation                 38)  SASL Mechanism Handler\r\n    17)  Identity Mapper                      39)  Synchronization Provider\r\n    18)  Key Manager Provider                 40)  Trust Manager Provider\r\n    19)  Local DB Index                       41)  Virtual Attribute\r\n    20)  Local DB VLV Index                   42)  Work Queue\r\n    21)  Log Publisher                        43)  Workflow\r\n    22)  Log Retention Policy                 44)  Workflow Element\r\n\r\n    q)   quit\r\n\r\nEnter choice: 32\r\n\r\n\r\n>>>> Plugin management menu\r\n\r\nWhat would you like to do?\r\n\r\n    1)  List existing Plugins\r\n    2)  Create a new Plugin\r\n    3)  View and edit an existing Plugin\r\n    4)  Delete an existing Plugin\r\n\r\n    b)  back\r\n    q)  quit\r\n\r\nEnter choice [b]: 1\r\n\r\n\r\nPlugin                             : Type                            : enabled\r\n-----------------------------------:---------------------------------:--------\r\n7-Bit Clean                        : seven-bit-clean                 : false\r\nChange Number Control              : change-number-control           : true\r\nEntry UUID                         : entry-uuid                      : true\r\nFractional Replication LDIF Import : fractional-ldif-import          : true\r\nLastMod                            : last-mod                        : true\r\nLDAP Attribute Description List    : ldap-attribute-description-list : true\r\nPassword Policy Import             : password-policy-import          : true\r\nProfiler                           : profiler                        : true\r\nReferential Integrity              : referential-integrity           : false\r\nUID Unique Attribute               : unique-attribute                : false\r\n<\/pre>\n
As you can see above, the UID Unique Attribute<\/b> plugin is not enabled. To enable it you just need to set enable<\/b> to true<\/b>. I will omit this step, let’s make a new plugin:<\/p>\n
\r\nWhat would you like to do?\r\n\r\n    1)  List existing Plugins\r\n    2)  Create a new Plugin\r\n    3)  View and edit an existing Plugin\r\n    4)  Delete an existing Plugin\r\n\r\n    b)  back\r\n    q)  quit\r\n\r\nEnter choice [b]: 2\r\n\r\n\r\n>>>> Select the type of Plugin that you want to create:\r\n\r\n    1)  Change Number Control Plugin          7)   Password Policy Import\r\n                                                   Plugin\r\n    2)  Entry UUID Plugin                     8)   Profiler Plugin\r\n    3)  Fractional LDIF Import Plugin         9)   Referential Integrity\r\n                                                   Plugin\r\n    4)  Last Mod Plugin                       10)  Seven Bit Clean Plugin\r\n    5)  LDAP Attribute Description List       11)  Unique Attribute Plugin\r\n        Plugin                                     \r\n    6)  Network Group Plugin                       \r\n\r\n    ?)  help\r\n    c)  cancel\r\n    q)  quit\r\n\r\nEnter choice : 11\r\n\r\n\r\n>>>> Enter a name for the Unique Attribute Plugin that you want to create: Mail Unique Attribute\r\n\r\n\r\n>>>> Configuring the \"enabled\" property\r\n\r\n    Indicates whether the plug-in is enabled for use.\r\n\r\nSelect a value for the \"enabled\" property:\r\n\r\n    1)  true\r\n    2)  false\r\n\r\n    ?)  help\r\n    c)  cancel\r\n    q)  quit\r\n\r\nEnter choice : 1\r\n\r\n\r\n>>>> Configuring the \"type\" property\r\n\r\n    Specifies the type of attributes to check for value uniqueness.\r\n\r\n    Syntax:  OID\r\n\r\nEnter a value for the \"type\" property: mail\r\n\r\nEnter another value for the \"type\" property [continue]: \r\n\r\n\r\n>>>> Configure the properties of the Unique Attribute Plugin\r\n\r\n        Property  Value(s)\r\n        -----------------------------------------------------------------------\r\n    1)  base-dn   The plug-in uses the server's public naming contexts in the\r\n                  searches.\r\n    2)  enabled   true\r\n    3)  type      mail\r\n\r\n    ?)  help\r\n    f)  finish - create the new Unique Attribute Plugin\r\n    c)  cancel\r\n    q)  quit\r\n\r\nEnter choice [f]: \r\n\r\nThe Unique Attribute Plugin was created successfully\r\n\r\nPress RETURN to continue \r\n<\/pre>\n
Simple and intuitive, but I would like to pay attention that:<\/p>\n
    \n
  • you can create plugins for your own attributes, even when added to OpenDJ as schema extension<\/li>\n
  • attributes for which unique plugin is enable should be indexed for equality (eq)<\/li>\n<\/ul>\n
    If Multi-Master replication is configured you need to add also these plugins to second server. You can do this with dsconfig<\/code> in interactive or non-interactive mode, but I think it will be faster and simpler with LDIF export\/import. You can connect to LDAP with control-panel<\/b> or other tool. Personally I’m using Eclipse<\/b> with LDAP plugin, which I’m connecting to 4444 SSL port with base DN of cn=config<\/code>. Now select proper branch cn=Plugins,cn=config<\/code>, choose cn=Mail Unique Attribute<\/code> and export to LDIF which be saved to disk as Mail-unique.ldif:<\/p>\n
    # cat Mail-unique.ldif<\/pre>\n
    \r\nversion: 1\r\n\r\ndn: cn=Mail Unique Attribute,cn=Plugins,cn=config\r\nobjectClass: ds-cfg-unique-attribute-plugin\r\nobjectClass: ds-cfg-plugin\r\nobjectClass: top\r\ncn: Mail Unique Attribute\r\nds-cfg-enabled: true\r\nds-cfg-java-class: org.opends.server.plugins.UniqueAttributePlugin\r\nds-cfg-plugin-type: postoperationadd\r\nds-cfg-plugin-type: postoperationmodify\r\nds-cfg-plugin-type: postoperationmodifydn\r\nds-cfg-plugin-type: postsynchronizationadd\r\nds-cfg-plugin-type: postsynchronizationmodify\r\nds-cfg-plugin-type: postsynchronizationmodifydn\r\nds-cfg-plugin-type: preoperationadd\r\nds-cfg-plugin-type: preoperationmodify\r\nds-cfg-plugin-type: preoperationmodifydn\r\nds-cfg-type: mail\r\n\r\n<\/pre>\n
    Upload LDIF file to second server and import:<\/p>\n
    # ldapmodify -a -D cn=dirmgr -h localhost -X -f Mail-unique.ldif<\/pre>\n
    \r\nPassword for user 'cn=dirmgr':\r\nProcessing ADD request for cn=Mail Unique Attribute,cn=Plugins,cn=config\r\nADD operation successful for DN cn=Mail Unique Attribute,cn=Plugins,cn=config\r\n<\/pre>\n
    You can also do this with GUI connected to second server, but I wanted to show you how to do this manually :)<\/p>","protected":false},"excerpt":{"rendered":"
    Sorry, this entry is only available in Polish. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.Czasem istnieje...<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[115],"tags":[6,88],"jetpack_publicize_connections":[],"acf":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7M9Tz-5v","jetpack-related-posts":[{"id":285,"url":"https:\/\/drfugazi.eu.org\/en\/konfiguracja\/","url_meta":{"origin":341,"position":0},"title":"Konfiguracja OpenDJ","author":"drfugazi","date":"Monday July 11th, 2011","format":false,"excerpt":"Po rozpakowaniu i instalacji OpenDJ jest wst\u0119pnie skonfigurowany. W moim przypadku posiada te\u017c wpis bazowy (base entry), tutaj niech to b\u0119dzie dc=domain,dc=tld. Je\u015bli kto\u015b dopiero buduje drzewo LDAP, to pewnie teraz doda sobie standardowe ou=People i tam b\u0119dzie umieszcza\u0142 u\u017cytkownik\u00f3w za pomoc\u0105 narz\u0119dzi do zarz\u0105dzania katalogiem LDAP. Zwykle jednak jest\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":299,"url":"https:\/\/drfugazi.eu.org\/en\/ldap-meta-directory\/","url_meta":{"origin":341,"position":1},"title":"LDAP meta directory","author":"drfugazi","date":"Thursday August  4th, 2011","format":false,"excerpt":"Sometimes you need to combine two or more LDAP directories with same suffixes to one directory or you just need to have a proxy. My first attempts to combine two OpenLDAP directories was to make replication from two different sources. This solution however has some disadvantages. First of all: to\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":337,"url":"https:\/\/drfugazi.eu.org\/en\/dodawanie-schematow-opendj\/","url_meta":{"origin":341,"position":2},"title":"Dodawanie schemat\u00f3w do OpenDJ","author":"drfugazi","date":"Tuesday July 12th, 2011","format":false,"excerpt":"Sorry, this entry is only available in Polish. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.OpenDJ podobnie jak inne us\u0142ugi katalogowe pozwala na rozszerzanie funkcjonalno\u015bci katalogu poprzez dodawanie schemat\u00f3w. Istnieje szereg gotowych schemat\u00f3w,\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":283,"url":"https:\/\/drfugazi.eu.org\/en\/opendj\/","url_meta":{"origin":341,"position":3},"title":"OpenDJ","author":"drfugazi","date":"Monday July 11th, 2011","format":false,"excerpt":"OpenDJ jest nowy serwerem us\u0142ug katalogowych zgodnym z LDAPv3, rozwijanym na platformie Java, dostarczaj\u0105cym wysoko wydajnego, niezawodnego i bezpiecznego magazynu to\u017csamo\u015bci. \u0141atwy proces instalacyjny w po\u0142\u0105czeniu z si\u0142\u0105 platformy Java powoduje, \u017ce OpenDJ jest jednym z najprostszych do zarz\u0105dzania i najszybszych do uruchomienia serwerem us\u0142ug katalogowych. OpenDJ jest rozszerzeniem projektu\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":338,"url":"https:\/\/drfugazi.eu.org\/en\/dodawanie-indeksow-opendj\/","url_meta":{"origin":341,"position":4},"title":"Dodawanie indeks\u00f3w do OpenDJ","author":"drfugazi","date":"Tuesday July 12th, 2011","format":false,"excerpt":"Sorry, this entry is only available in Polish. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.Indeksy to bardzo wa\u017cna rzecz w katalogu LDAP. Je\u015bli s\u0105 problemy wydajno\u015bciowe z katalogiem i zacznie si\u0119 szuka\u0107\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":231,"url":"https:\/\/drfugazi.eu.org\/en\/konfiguracja-uwierzytelniania-poczty-w-ldap\/","url_meta":{"origin":341,"position":5},"title":"Konfiguracja uwierzytelniania poczty w LDAP","author":"drfugazi","date":"Friday December  3rd, 2010","format":false,"excerpt":"Zak\u0142adam, \u017ce Dovecot i Postfix ju\u017c dzia\u0142aj\u0105 i mo\u017cna odebra\u0107 i wys\u0142a\u0107 poczt\u0119 loguj\u0105c si\u0119 na u\u017cytkownika systemowego (patrz poprzednie wpisy). Nadszed\u0142 zatem czas na uruchomienie uwierzytelniania w naszym katalogu LDAP (patrz konfiguracja LDAP). Wykorzystanie LDAPa do uwierzytelniania u\u017cytkownik\u00f3w pozwala na elastyczne zarz\u0105dzanie hostingiem poczty i nie tylko. LDAP jest\u2026","rel":"","context":"In \"Dovecot\"","block_context":{"text":"Dovecot","link":"https:\/\/drfugazi.eu.org\/en\/tag\/dovecot\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/341"}],"collection":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/comments?post=341"}],"version-history":[{"count":4,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/341\/revisions"}],"predecessor-version":[{"id":585,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/341\/revisions\/585"}],"wp:attachment":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media?parent=341"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/categories?post=341"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/tags?post=341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}