When the referential integrity plug-in is enabled it performs integrity updates on specified attributes immediately after a delete, rename, or move operation. By default, the referential integrity plug-in is disabled.
Whenever you delete, rename, or move a user or group entry in the directory, the operation is logged to the referential integrity log file:
instance-path/logs/referint
After a specified time, known as the update interval, the server performs a search on all attributes for which referential integrity is enabled, and matches the entries resulting from that search with the DNs of deleted or modified entries present in the log file. If the log file shows that the entry was deleted, the corresponding attribute is deleted. If the log file shows that the entry was changed, the corresponding attribute value is modified accordingly.
When the default configuration of the referential integrity plug-in is enabled, it performs integrity updates on the member, uniquemember, owner, seeAlso, and nsroledn attributes immediately after a delete, rename, or move operation. You can, however, configure the behavior of the referential integrity plug-in to suit your own requirements. The following behavior can be configured:
Record referential integrity updates in a different file.
Modify the update interval.
If you want to reduce the impact that referential integrity updates has on your system, you might want to increase the amount of time between updates.
Select the attributes to which you apply referential integrity.
If you use or define attributes containing DN values, you might want the referential integrity plug-in to monitor them.