test

Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide

Maintaining Referential Integrity

Referential integrity is a plug-in mechanism that ensures that relationships between entries are maintained. Several types of attributes, such as those for group membership, contain the DN of another entry. Referential integrity can be used to ensure that when an entry is removed, all attributes that contain its DN are also removed.

For example, if a user’s entry is removed from the directory and referential integrity is enabled, the server also removes the user from any groups of which the user is a member. If referential integrity is not enabled, the user must be manually removed from the group by the administrator. This is an important feature if you are integratingDirectory Server with other Sun Java System products that rely on the directory for user and group management.

How Referential Integrity Works

When the referential integrity plug-in is enabled it performs integrity updates on specified attributes immediately after a delete, rename, or move operation. By default, the referential integrity plug-in is disabled.

Whenever you delete, rename, or move a user or group entry in the directory, the operation is logged to the referential integrity log file:

instance-path/logs/referint

After a specified time, known as the update interval, the server performs a search on all attributes for which referential integrity is enabled, and matches the entries resulting from that search with the DNs of deleted or modified entries present in the log file. If the log file shows that the entry was deleted, the corresponding attribute is deleted. If the log file shows that the entry was changed, the corresponding attribute value is modified accordingly.

When the default configuration of the referential integrity plug-in is enabled, it performs integrity updates on the member, uniquemember, owner, seeAlso, and nsroledn attributes immediately after a delete, rename, or move operation. You can, however, configure the behavior of the referential integrity plug-in to suit your own requirements. The following behavior can be configured:

ProcedureTo Configure the Referential Integrity Plug-In

Note –

All attributes in all databases that are used by the referential integrity plug-in must be indexed. The indexes need to be created in the configuration of all the databases. When the retro changelog is enabled, the cn=changelog suffix must be indexed. For information, see Chapter 12, Directory Server Indexing.

Certain limitations are associated with using the referential integrity plug-in in a replicated environment. For a list of these limitations, see Replication and Referential Integrity.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Make sure that all replicas are configured and that all replication agreements are defined.

  2. Determine the set of attributes for which you will maintain referential integrity and the update interval that you want to use on your master servers.

  3. Enable the referential integrity plug-in on all master servers using the same set of attributes and the same update interval.

    • To define the attributes for referential integrity, use this command:


      $ dsconf set-server-prop -h host -p port ref-integrity-attr:attribute-name \
 ref-integrity-attr:attribute-name

    • To add a referential integrity attribute to an existing list of attributes, use this command:


      $ dsconf set-server-prop -h host -p port ref-integrity-attr+:attribute-name

    • To define the referential integrity update interval, use this command:


      $ dsconf set-server-prop -h host -p port ref-integrity-check-delay:duration

    • To enable referential integrity, use this command:


      $ dsconf set-server-prop -h host -p port ref-integrity-enabled:on

  4. Ensure that the referential integrity plug-in is disabled on all consumer servers.