Skip Headers
Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2)
B14082-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

7 Attribute Uniqueness in the Directory

This chapter explains attribute uniqueness in Oracle Internet Directory. It contains these topics:

7.1 About Attribute Uniqueness

The attribute uniqueness feature prevents duplication of attribute values, both when adding and modifying them. For example, it prevents you from assigning to a new employee an identifier already assigned to another employee. Instead, the directory server terminates the operation and returns an error message.

You can define attribute uniqueness:

To implement attribute uniqueness, you create an attribute uniqueness constraint entry in which you provide values for the attributes in Table 7-1.

Table 7-1 Attribute Uniqueness Constraint Entry

Attribute Name Mandatory? Valid Value Default Value Default Effect

orcluniqueattrname

Yes

Any string

N/A

N/A

orcluniquescope

No

One of the following:

  • base—Searches the root entry only

  • onelevel—Searches one level only

  • sub—Searches the entire directory

sub

Searches the entire directory

orcluniqueenable

No

Either 0 (disable) or 1 (enable)

0

Disables attribute uniqueness

orcluniquesubtree

No

Any string

" "

Searches the entire directory

orcluniqueobjectclass

No

Any string

" "

Searches all object classes


When you have created the entry and specified the attributes, before it performs an operation, the directory server:

If an operation applies to a monitored attribute, suffix, or object class, and would cause two entries to have the same attribute value, then the directory server terminates the operation and returns a constraint violation error message to the client.


Note:

The attribute uniqueness feature works on indexed attributes only.

7.2 Rules for Creating Attribute Uniqueness

This section describes and gives examples of rules you follow when creating attribute uniqueness constraints. It contains these topics:

To understand the examples in this section, refer to Figure 7-1.

Figure 7-1 Example of a Directory Information Tree

Description of Figure 7-1  follows
Description of "Figure 7-1 Example of a Directory Information Tree"

7.2.1 Specifying Multiple Attribute Names in an Attribute Uniqueness Constraint

When multiple attribute uniqueness constraints have different values in orcluniqueattrname, their effects are independent of each other.

For example, suppose that a user defines two attribute uniqueness constraints as follows:

Constraint1:

orcluniqueattrname: employee_id

Constraint2:

orcluniqueattrname: email_id

In this example, Constraint1 and Constraint2 enforce uniqueness on the specified attribute within their own attribute uniqueness scopes. Constraint1 and Constraint2 are independent of each other.

7.2.2 Specifying Multiple Subtrees in an Attribute Uniqueness Constraint

When multiple attribute uniqueness constraints have the same values in orcluniqueattrname, orcluniquescope and orcluniqueobjectclass, but different values in orcluniquesubtree, the union of subtree scopes specified by those attribute uniqueness constraints is checked.

For example, refer to Figure 7-1. Suppose that a user defines two attribute uniqueness constraints as follows:

Constraint1:

orcluniqueattrname: employee_id
orcluniquesubtree: o=sales, c=us, cn=root
orcluniquescope: onelevel

Constraint2:

orcluniqueattrname: employee_id
orcluniquesubtree: o=hr, c=euro, cn=root
orcluniquescope: onelevel

In this example, the attribute uniqueness on employee_id is enforced against all entries under subtree o=sales,c=us,cn=root and o=hr,c=euro,cn=root—that is, the directory server enforces the unique value of the employee_id attribute for employee3, employee4, employee7 and employee8.

7.2.3 Specifying Multiple Scopes in an Attribute Uniqueness Constraint

When multiple attribute uniqueness constraints have the same values in orcluniqueattrname, orcluniquesubtree and orcluniqueobjectclass, but different values in orcluniquescope, the attribute uniqueness constraint with the largest search scope takes effect.

For example, referring to Figure 7-1, suppose that a user defines two attribute uniqueness constraints as follows:

Constraint1:

orcluniqueattrname: employee_id
orcluniquesubtree: c=us, cn=root
orcluniquescope: onelevel

Constraint2:

orcluniqueattrname: employee_id
orcluniquesubtree: c=us, cn=root
orcluniquescope: sub

In this example, the attribute uniqueness on employee_id is enforced against all entries under the subtree c=us,cn=root and the entry c=us,cn=root itself. Note that this is the same as if the user had defined only Constraint2.

7.2.4 Specifying Multiple Object Classes in an Attribute Uniqueness Constraint

When multiple attribute uniqueness constraints have the same values in orcluniqueattrname, orcluniquesubtree, and orcluniquescope, but different values in orcluniqueobjectclass, then the union of attributes belonging to those object classes is checked.

For example, look at Figure 7-1. Suppose that a user defines two attribute uniqueness constraints as follows:

Constraint1:

orcluniqueattrname: employee_id
orcluniquesubtree: c=us, cn=root
orcluniqueobjectclass: person

Constraint2:

orcluniqueattrname: employee_id
orcluniquesubtree: c=us, cn=root

In this example, the attribute uniqueness on employee_id is enforced against all entries under the subtree c=us,cn=root and the entry c=us,cn=root itself, no matter what object class those entries belong to. Note that Constraint2 specifies no orcluniqueobjectclass attribute, which is the same as specifying all object classes.

7.2.5 Specifying Multiple Subtrees, Scopes, and Object Classes in an Attribute Uniqueness Constraint

When multiple attribute uniqueness constraints have the same values in orcluniqueattrname, but different values in orcluniquesubtree, orcluniquescope, and orcluniqueobjectclass, the union of entries that belong to the attribute uniqueness scopes of different constraints are checked.

For example, referring to Figure 7-1, suppose that a user defines two attribute uniqueness constraints as follows:

Constraint1:

orcluniqueattrname: employee_id
orcluniquesubtree: o=sales, c=us, cn=root
orcluniquescope: onelevel
orcluniqueobjectclass: person
 

Constraint2:

orcluniqueattrname: employee_id
orcluniquesubtree: c=euro, cn=root
orcluniquescope: sub
orcluniqueobjectclass: organization

In this example, the attribute uniqueness on employee_id is enforced against the following:

  • All entries under the subtree o=sales,c=us,cn=root where their object class belongs to person

  • All entries under subtree c=euro,cn=root and the entry c=euro,cn=root itself where their object class belongs to organization

7.3 Managing Attribute Uniqueness

This section contains these topics:

7.3.1 Location of Attribute Uniqueness Entries

Attribute uniqueness constraint entries are stored under cn=unique,cn=Common,cn=Products,cn=OracleContext.

7.3.2 Managing Attribute Uniqueness by Using Oracle Directory Manager

You can use Oracle Directory Manager to create, modify, and delete attribute uniqueness constraint entries.

7.3.2.1 Creating an Attribute Uniqueness Constraint Entry

  1. In the navigator pane, expand in succession Oracle Internet Directory Servers, directory server instance, and Attribute Uniqueness Management. The Attribute Uniqueness Management window displays a list of existing attribute uniqueness constraint entries in the right pane.

  2. On the toolbar, choose Create. This displays the New Constraint window.

    In the New Constraint dialog box, enter values for the fields. These are described in Table A-8.

  3. Choose OK. This returns you to the Attribute Uniqueness Management window. The entry you just created appears in the list of attribute uniqueness constraint entries.

  4. Choose Apply.

7.3.2.2 Modifying an Attribute Uniqueness Constraint Entry by Using Oracle Directory Manager

To modify an attribute uniqueness constraint entry:

  1. In the navigator pane, expand in succession Oracle Internet Directory Servers, directory server instance, and Attribute Uniqueness Management. The Attribute Uniqueness Management window displays a list of existing attribute uniqueness constraint entries in the right pane.

  2. In the Attribute Uniqueness Management window, select the attribute uniqueness constraint entry you want to modify, then choose Edit. The Attribute Uniqueness Constraint window for that attribute appears.

  3. In the Attribute Uniqueness Constraint window, enter your modifications in the appropriate fields, then choose OK. This returns you to the Attribute Uniqueness Management window.

  4. Choose Apply.

7.3.2.3 Deleting an Attribute Uniqueness Constraint Policy by Using Oracle Directory Manager

To delete an attribute uniqueness constraint policy:

  1. In the navigator pane, expand in succession Oracle Internet Directory Servers, directory server instance, and Attribute Uniqueness Management. The Attribute Uniqueness Management window displays a list of existing attribute uniqueness constraint entries in the right pane.

  2. In the Attribute Uniqueness Management window, select the attribute uniqueness constraint entry you want to delete, then choose Edit. The Attribute Uniqueness Constraint window for this attribute appears.

  3. Choose Delete, then, when prompted, confirm the deletion. This returns you to the Attribute Uniqueness Constraint window. The entry you deleted no longer appears in the list of attribute uniqueness constraint entries.

7.3.3 Managing Attribute Uniqueness by Using Command-Line Tools

This section contains these topics:

7.3.3.1 Enabling and Disabling Attribute Uniqueness by Using Command-Line Tools

You can enable or disable attribute uniqueness for an existing attribute uniqueness constraint entry.

To enable attribute uniqueness for an existing attribute uniqueness constraint entry:

  1. Set the orcluniqueenable attribute to 1 by using ldapmodify.

  2. Restart the directory server to enable the policy.

To disable attribute uniqueness:

  1. Set the orcluniqueenable attribute to 0 by using ldapmodify.

  2. Restart the directory server to disable the policy.

7.3.3.2 Creating Attribute Uniqueness Constraint Entries by Using Command-Line Tools

To enable attribute uniqueness, specify an attribute uniqueness constraint entry with the attributes listed in Table 7-1.

7.3.3.2.1 Creating Attribute Uniqueness Across an Entire Directory by Using Command-Line Tools

To create an instance of attribute uniqueness across an entire directory, specify an attribute name for which you want to enforce value uniqueness.

For example, to make employee identifiers unique for all US employees at MyCompany, you would follow these steps:

  1. Create an attribute uniqueness constraint entry (in LDIF format) as follows:

    dn: cn=constraint1, cn=unique, cn=common, cn=products, cn=oraclecontext
    objectclass: orclUniqueConfig
    orcluniqueattrname: employeenumber
    orcluniquesubtree: o=MyCompany, c=US
    orcleuniqueobjectclass: person
    
    
  2. Apply the attribute uniqueness feature by loading the attribute uniqueness constraint entry as follows:

    ldapadd –h host -p port -D DN -w password -f constraint1.dat
    
    
  3. Restart the directory server.

7.3.3.2.2 Creating Attribute Uniqueness Across One Subtree by Using Command-Line Tools

To create an instance of attribute uniqueness across one or more subtrees, specify:

  • An attribute name for which you want to enforce value uniqueness

  • Subtree locations under which you want the uniqueness constraint to be enforced

For example, suppose that MyCompany hosts the directories for SubscriberCompany1 and SubscriberCompany2, and you want to enforce the uniqueness of the employee identifier attribute in SubscriberCompany1 only. When you add an entry such as uid=dlin,ou=people,o=SubscriberCompany1,dc=MyCompany, dc=com, you must enforce uniqueness only in the o=SubscriberCompany1,dc=MyCompany,dc=com subtree. Do this by listing the DN of the subtree explicitly in the attribute uniqueness constraint configuration.

In this case, the LDIF file would look like this:

dn: cn=constraint1, cn=unique, cn=common, cn=products, cn=oraclecontext
objectclass: orclUniqueConfig
orcluniqueattrname: employeenumber
orcluniquesubtree: o=SubscriberCompany1,dc=MyCompany,	dc=com
7.3.3.2.3 Creating Attribute Uniqueness Across One Object Class by Using Command-Line Tools

To create an instance of attribute uniqueness across one object class, specify:

  • An attribute name for which you want to enforce value uniqueness

  • Object class name

In this case, the LDIF file would look like this:

dn: cn=constraint1, cn=unique, cn=common, cn=products, cn=oraclecontext
objectclass: orclUniqueConfig
orcluniqueattrname: employeenumber
orcleuniqueobjectclass: person

7.3.3.3 Modifying Attribute Uniqueness Constraint Entries by Using Command-Line Tools

To modify an attribute uniqueness entry, use create an LDIF file for the entry, then use ldapmodify to upload it into the directory.

For example, suppose there is an existing attribute uniqueness constraint entry:

dn: cn=constraint1, cn=unique, cn=common, cn=products, cn=oraclecontext
objectclass: orclUniqueConfig
orcluniqueattrname: employeenumber
orcluniquesubtree: o=MyCompany, c=US
orcleuniqueobjectclass: person

To enforce the constraint against c=US, instead of o=MyCompany, you would perform these steps:

  1. Create an LDIF entry to change the orcluniquenesssubtree:

    dn: cn=constraint1, cn=unique, cn=common, cn=products, cn=oraclecontext
    changetype: modify
    replace: orcluniquesubtree
    orcluniquesubtree: o=Oracle Corporation, c=US
    
    
  2. Use ldapmodify to apply the change to directory server.

    ldapmodify -p port -D user -w password -f file_name
    
    
  3. Restart the directory server to effect this change.

7.3.3.4 Deleting Attribute Uniqueness Constraint Entries by Using Command-Line Tools

Use the ldapdelete command-line tool to delete an attribute uniqueness constraint policy.

  1. Remove the attribute uniqueness constraint entry from the directory by using ldapdelete.

    ldapdelete -p port -D bind_DN -w password \  "cn=constraint1,cn=unique,cn=common,cn=products,cn=oraclecontext"
    
    
  2. Restart the directory server to effect this change.

7.4 Limitations of Attribute Uniqueness in Oracle Internet Directory 10g Release 2 (10.1.2)

When an attribute uniqueness constraint is present in the Oracle Internet Directory replication environment, be careful about configuring the attribute uniqueness constraints on each server. This section contains these topics:

Simple Replication Scenario

Because all modifications by client applications are performed on the supplier server, the attribute uniqueness constraint should be enabled on that server. It is not necessary to enable the attribute uniqueness constraint on the consumer server. Enabling the attribute uniqueness constraint on the consumer server does not prevent the directory server from operating correctly, but it can cause a performance degradation.

Multimaster Replication Scenario

In a multimaster replication scenario, nodes serve as both suppliers and consumers of the same replica. Multimaster replication uses a loosely consistent replication model.

Enabling an attribute uniqueness constraint on one of the servers does not ensure that attribute values are unique across both masters at any given time. Enabling an attribute uniqueness constraint on only one server can cause inconsistencies in the data held on each replica.

The attribute uniqueness constraint must be enabled on both masters. However, there may still be an inconsistent state. For example, in both masters we can successfully modify entries to the same attribute value. However, when the changes are later replicated to the other node, the conflict becomes apparent. You must take this type of conflict resolution into consideration as well, deciding whether conflict resolution should be the replication server's responsibility.