On Wed, Jun 20, 2012 at 06:43:22PM +0200, Michael Ströder wrote: > Jan Beerden wrote: > > Is there a way to have a unique constraint over multiple attributes? We have > > different attributes for the primary email address of a person, and for > > additional aliases, and we'd like to enforce global uniqueness in such a way > > that the primary email address for one person can not be used as an email > > alias for another person. > > > > The slapo-unique manpage doesn't make this very clear. > > You can simply specify multiple attrs.
> unique_uri "ldap:///o=myorg?uid,uidNumber?sub?(objectClass=*)" That will not have the effect that is required in this case. Each attribute listed in the unique_uri is enforced separately, so in the example above, all uid values would be unique, and all uidNumber values would be unique, but it would be quite possible to have a uid in one entry the same as the uidNumber in a different one. To achieve what Jan wants, I would consider requiring the primary email address to also be listed as one of the aliases. A uniqueness constraint like this would then protect against one entry hijacking the address of another: overlay unique unique_uri "ldap:///o=myorg?primaryMail,aliasMail?sub?(objectClass=mailUser)" The requirement for the primaryMail value to also appear as an aliasMail value could be enforced using the constraint overlay with the 'set' mechanism, something like: overlay constraint constraint_attribute primaryMail,aliasMail set "this/primaryMail & this/aliasMail" restrict="ldap:///o=myorg??sub?(objectClass=mailUser)" Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------