Hello, all. We would like to enforce unique cn for groupofuniquenames only and only under a specific part of the DIT.
I'll illustrate with: O=Internal,DC=mycompany,DC=com O=External,DC=mycompany,DC=com
So we want to enforce unique CNs on groups under Internal but not under External and only CNs on groups (because our current DN based uniqueness constraint on CN means we can't create multiple password policy nscontainer objects under Internal).
If we configure set nsslapd-pluginarg1 to "O=Internal,DC=mycompany,DC=com", we enforce uniqueness in that container but for all objects.
Although we haven't tried it (lest we create a bigger problem than we already have!), I believe it we set nsslapd-pluginarg1 to markerObjectClass=O and nsslapd-pluginarg2 to requiredObjectClass=groupofuniquenames, it will enforce CN uniqueness on groups but will do so both in Internal AND External. Is that correct?
So is it possible to combine them somehow to achieve what we want? Thanks - John
On 04/27/2012 02:35 PM, John A. Sullivan III wrote:
Hello, all. We would like to enforce unique cn for groupofuniquenames only and only under a specific part of the DIT.
I'll illustrate with: O=Internal,DC=mycompany,DC=com O=External,DC=mycompany,DC=com
So we want to enforce unique CNs on groups under Internal but not under External and only CNs on groups (because our current DN based uniqueness constraint on CN means we can't create multiple password policy nscontainer objects under Internal).
If we configure set nsslapd-pluginarg1 to "O=Internal,DC=mycompany,DC=com", we enforce uniqueness in that container but for all objects.
Although we haven't tried it (lest we create a bigger problem than we already have!), I believe it we set nsslapd-pluginarg1 to markerObjectClass=O and nsslapd-pluginarg2 to requiredObjectClass=groupofuniquenames, it will enforce CN uniqueness on groups but will do so both in Internal AND External. Is that correct?
So is it possible to combine them somehow to achieve what we want? Thanks - John
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Unless I am incorrect, this could be a RFE, attribute uniqness is currently implemented for a specific attribute in either a suffix or subtree, or defined by objectclass in the whole tree, not both.
It depends how those groups are organized, the subtree or suffix definition could be enough, using something similar to: nsslapd-pluginarg0: some-attribute nsslapd-pluginarg1: some-suffix-or-subtree-dn
For example, in IPA, for a CN uniquess in a netgroup subtree cn=ng,cn=alt,dc=example,dc=com:
dn: cn=netgroup uniqueness,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: netgroup uniqueness nsslapd-pluginPath: libattr-unique-plugin nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: cn nsslapd-pluginarg1: cn=ng,cn=alt,dc=example,dc=com nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 1.2.9.14 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: Enforce unique attribute values
I believe the markerObjectClass and requiredObjectClass are not designed to be mixed with the suffix or subtree definitions of the attribute uniqueness plug-in, for markerObjectClass. The subtree is defined by location of marker object class, or its parent entry, so if the scope is controlled with requiredObjectClass groupofuniquenames it may parse entries in both subtrees internal and external in your example. It seem to me you cannot use both definitions, but I could be wrong.
Reference: ldap/servers/plugins/uiduniq/uid.c and 5.1.4.2. Specifying One Attribute and Multiple Subtrees http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/pdf/Administr...
M.
On Fri, 2012-04-27 at 18:09 -0700, Marc Sauton wrote:
On 04/27/2012 02:35 PM, John A. Sullivan III wrote:
Hello, all. We would like to enforce unique cn for groupofuniquenames only and only under a specific part of the DIT.
I'll illustrate with: O=Internal,DC=mycompany,DC=com O=External,DC=mycompany,DC=com
So we want to enforce unique CNs on groups under Internal but not under External and only CNs on groups (because our current DN based uniqueness constraint on CN means we can't create multiple password policy nscontainer objects under Internal).
If we configure set nsslapd-pluginarg1 to "O=Internal,DC=mycompany,DC=com", we enforce uniqueness in that container but for all objects.
Although we haven't tried it (lest we create a bigger problem than we already have!), I believe it we set nsslapd-pluginarg1 to markerObjectClass=O and nsslapd-pluginarg2 to requiredObjectClass=groupofuniquenames, it will enforce CN uniqueness on groups but will do so both in Internal AND External. Is that correct?
So is it possible to combine them somehow to achieve what we want? Thanks - John
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Unless I am incorrect, this could be a RFE, attribute uniqness is currently implemented for a specific attribute in either a suffix or subtree, or defined by objectclass in the whole tree, not both.
It depends how those groups are organized, the subtree or suffix definition could be enough, using something similar to: nsslapd-pluginarg0: some-attribute nsslapd-pluginarg1: some-suffix-or-subtree-dn
For example, in IPA, for a CN uniquess in a netgroup subtree cn=ng,cn=alt,dc=example,dc=com:
dn: cn=netgroup uniqueness,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: netgroup uniqueness nsslapd-pluginPath: libattr-unique-plugin nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: cn nsslapd-pluginarg1: cn=ng,cn=alt,dc=example,dc=com nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 1.2.9.14 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: Enforce unique attribute values
I believe the markerObjectClass and requiredObjectClass are not designed to be mixed with the suffix or subtree definitions of the attribute uniqueness plug-in, for markerObjectClass. The subtree is defined by location of marker object class, or its parent entry, so if the scope is controlled with requiredObjectClass groupofuniquenames it may parse entries in both subtrees internal and external in your example. It seem to me you cannot use both definitions, but I could be wrong.
Reference: ldap/servers/plugins/uiduniq/uid.c and 5.1.4.2. Specifying One Attribute and Multiple Subtrees http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/pdf/Administr...
M.
Thank you, Marc. That's how I read it, too, unfortunately.
I wonder if there is another way around our real problem. Using the same example as above: O=Internal,DC=mycompany,DC=com O=External,DC=mycompany,DC=com
we need to create subtree password policies for various OUs under O=Internal which is also where we need cn uniqueness for groups. The problem, I think, is that we need nsContainer objects at each OU with a password policy where the cn is specifically "nsPwPolicyContainer". Since that is the cn for several different objects, we are getting duplicate errors on all attempts to create the custom password policy after the first one. I assume there is no way to exempt a specific object from a uniqueness constraint, is there? Thanks - John
John A. Sullivan III wrote:
On Fri, 2012-04-27 at 18:09 -0700, Marc Sauton wrote:
On 04/27/2012 02:35 PM, John A. Sullivan III wrote:
Hello, all. We would like to enforce unique cn for groupofuniquenames only and only under a specific part of the DIT.
I'll illustrate with: O=Internal,DC=mycompany,DC=com O=External,DC=mycompany,DC=com
So we want to enforce unique CNs on groups under Internal but not under External and only CNs on groups (because our current DN based uniqueness constraint on CN means we can't create multiple password policy nscontainer objects under Internal).
If we configure set nsslapd-pluginarg1 to "O=Internal,DC=mycompany,DC=com", we enforce uniqueness in that container but for all objects.
Although we haven't tried it (lest we create a bigger problem than we already have!), I believe it we set nsslapd-pluginarg1 to markerObjectClass=O and nsslapd-pluginarg2 to requiredObjectClass=groupofuniquenames, it will enforce CN uniqueness on groups but will do so both in Internal AND External. Is that correct?
So is it possible to combine them somehow to achieve what we want? Thanks - John
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Unless I am incorrect, this could be a RFE, attribute uniqness is currently implemented for a specific attribute in either a suffix or subtree, or defined by objectclass in the whole tree, not both.
It depends how those groups are organized, the subtree or suffix definition could be enough, using something similar to: nsslapd-pluginarg0: some-attribute nsslapd-pluginarg1: some-suffix-or-subtree-dn
For example, in IPA, for a CN uniquess in a netgroup subtree cn=ng,cn=alt,dc=example,dc=com:
dn: cn=netgroup uniqueness,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: netgroup uniqueness nsslapd-pluginPath: libattr-unique-plugin nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: cn nsslapd-pluginarg1: cn=ng,cn=alt,dc=example,dc=com nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 1.2.9.14 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: Enforce unique attribute values
I believe the markerObjectClass and requiredObjectClass are not designed to be mixed with the suffix or subtree definitions of the attribute uniqueness plug-in, for markerObjectClass. The subtree is defined by location of marker object class, or its parent entry, so if the scope is controlled with requiredObjectClass groupofuniquenames it may parse entries in both subtrees internal and external in your example. It seem to me you cannot use both definitions, but I could be wrong.
Reference: ldap/servers/plugins/uiduniq/uid.c and 5.1.4.2. Specifying One Attribute and Multiple Subtrees http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/pdf/Administr...
M.
Thank you, Marc. That's how I read it, too, unfortunately.
I wonder if there is another way around our real problem. Using the same example as above: O=Internal,DC=mycompany,DC=com O=External,DC=mycompany,DC=com
we need to create subtree password policies for various OUs under O=Internal which is also where we need cn uniqueness for groups. The problem, I think, is that we need nsContainer objects at each OU with a password policy where the cn is specifically "nsPwPolicyContainer". Since that is the cn for several different objects, we are getting duplicate errors on all attempts to create the custom password policy after the first one. I assume there is no way to exempt a specific object from a uniqueness constraint, is there? Thanks - John
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
It may make the db topology more complicated, but how about making O=Internal and O=External sub suffixes of DC=mycompany,DC=com?
That way you could make these 2 trees independent from each other...
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administ... --noriko
On Mon, 2012-04-30 at 10:16 -0700, Noriko Hosoi wrote:
John A. Sullivan III wrote:
On Fri, 2012-04-27 at 18:09 -0700, Marc Sauton wrote:
On 04/27/2012 02:35 PM, John A. Sullivan III wrote:
Hello, all. We would like to enforce unique cn for groupofuniquenames only and only under a specific part of the DIT.
I'll illustrate with: O=Internal,DC=mycompany,DC=com O=External,DC=mycompany,DC=com
So we want to enforce unique CNs on groups under Internal but not under External and only CNs on groups (because our current DN based uniqueness constraint on CN means we can't create multiple password policy nscontainer objects under Internal).
If we configure set nsslapd-pluginarg1 to "O=Internal,DC=mycompany,DC=com", we enforce uniqueness in that container but for all objects.
Although we haven't tried it (lest we create a bigger problem than we already have!), I believe it we set nsslapd-pluginarg1 to markerObjectClass=O and nsslapd-pluginarg2 to requiredObjectClass=groupofuniquenames, it will enforce CN uniqueness on groups but will do so both in Internal AND External. Is that correct?
So is it possible to combine them somehow to achieve what we want? Thanks - John
<snip>>> Unless I am incorrect, this could be a RFE, attribute uniqness is
currently implemented for a specific attribute in either a suffix or subtree, or defined by objectclass in the whole tree, not both.
It depends how those groups are organized, the subtree or suffix definition could be enough, using something similar to: nsslapd-pluginarg0: some-attribute nsslapd-pluginarg1: some-suffix-or-subtree-dn
For example, in IPA, for a CN uniquess in a netgroup subtree cn=ng,cn=alt,dc=example,dc=com:
dn: cn=netgroup uniqueness,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: netgroup uniqueness nsslapd-pluginPath: libattr-unique-plugin nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: cn nsslapd-pluginarg1: cn=ng,cn=alt,dc=example,dc=com nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 1.2.9.14 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: Enforce unique attribute values
I believe the markerObjectClass and requiredObjectClass are not designed to be mixed with the suffix or subtree definitions of the attribute uniqueness plug-in, for markerObjectClass. The subtree is defined by location of marker object class, or its parent entry, so if the scope is controlled with requiredObjectClass groupofuniquenames it may parse entries in both subtrees internal and external in your example. It seem to me you cannot use both definitions, but I could be wrong.
Reference: ldap/servers/plugins/uiduniq/uid.c and 5.1.4.2. Specifying One Attribute and Multiple Subtrees http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/pdf/Administr...
M.
Thank you, Marc. That's how I read it, too, unfortunately.
I wonder if there is another way around our real problem. Using the same example as above: O=Internal,DC=mycompany,DC=com O=External,DC=mycompany,DC=com
we need to create subtree password policies for various OUs under O=Internal which is also where we need cn uniqueness for groups. The problem, I think, is that we need nsContainer objects at each OU with a password policy where the cn is specifically "nsPwPolicyContainer". Since that is the cn for several different objects, we are getting duplicate errors on all attempts to create the custom password policy after the first one. I assume there is no way to exempt a specific object from a uniqueness constraint, is there? Thanks - John
<snip>It may make the db topology more complicated, but how about making
O=Internal and O=External sub suffixes of DC=mycompany,DC=com?
That way you could make these 2 trees independent from each other...
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administ... --noriko
<snip> Interesting. So you are saying that, by splitting the database, I can use a markerObject uniqueness plugin for organzations in O=Internal restricted to groups and not have it affect O=External because that is a separate database? Yet I would be able to search globally by searching at the top level dc=mycompany,dc=com level?
Hmm . . . but if the plugin is held in config, how does it know to apply to one suffix and not another if I am using markerObjects? Thanks - John
389-users@lists.fedoraproject.org