| |
slapo-constraint(5) - phpMan
SLAPO-CONSTRAINT(5) File Formats Manual SLAPO-CONSTRAINT(5)
NAME
slapo-constraint - Attribute Constraint Overlay to slapd
SYNOPSIS
/etc/ldap/slapd.conf
DESCRIPTION
The constraint overlay is used to ensure that attribute values match some constraints
beyond basic LDAP syntax. Attributes can have multiple constraints placed upon them, and
all must be satisfied when modifying an attribute value under constraint.
This overlay is intended to be used to force syntactic regularity upon certain string rep‐
resented data which have well known canonical forms, like telephone numbers, post codes,
FQDNs, etc.
It constrains only LDAP add, modify and rename commands and only seeks to control the add
and replace values of modify and rename requests.
No constraints are applied for operations performed with the relax control set.
CONFIGURATION
This slapd.conf option applies to the constraint overlay. It should appear after the
overlay directive.
constraint_attribute <attribute_name>[,...] <type> <value> [<extra> [...]]
Specifies the constraint which should apply to the comma-separated attribute list
named as the first parameter. Five types of constraint are currently supported -
regex, size, count, uri, and set.
The parameter following the regex type is a Unix style regular expression (See
regex(7) ). The parameter following the uri type is an LDAP URI. The URI will be
evaluated using an internal search. It must not include a hostname, and it must
include a list of attributes to evaluate.
The parameter following the set type is a string that is interpreted according to
the syntax in use for ACL sets. This allows to construct constraints based on the
contents of the entry.
The size type can be used to enforce a limit on an attribute length, and the count
type limits the number of values of an attribute.
Extra parameters can occur in any order after those described above.
<extra> : restrict=<uri>
This extra parameter allows to restrict the application of the corresponding con‐
straint only to entries that match the base, scope and filter portions of the LDAP
URI. The base, if present, must be within the naming context of the database. The
scope is only used when the base is present; it defaults to base. The other param‐
eters of the URI are not allowed.
Any attempt to add or modify an attribute named as part of the constraint overlay specifi‐
cation which does not fit the constraint listed will fail with a LDAP_CONSTRAINT_VIOLATION
error.
EXAMPLES
overlay constraint
constraint_attribute jpegPhoto size 131072
constraint_attribute userPassword count 3
constraint_attribute mail regex ^[[:alnum:]]+@mydomain.com$
constraint_attribute title uri
ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
constraint_attribute cn,sn,givenName set
"(this/givenName + [ ] + this/sn) & this/cn"
restrict="ldap:///ou=People,dc=example,dc=com??sub?(objectClass=inetOrgPerson)"
A specification like the above would reject any mail attribute which did not look like
<alpha-numeric string>@mydomain.com. It would also reject any title attribute whose val‐
ues were not listed in the title attribute of any titleCatalog entries in the given scope.
(Note that the "dc=catalog,dc=example,dc=com" subtree ought to reside in a separate data‐
base, otherwise the initial set of titleCatalog entries could not be populated while the
constraint is in effect.) Finally, it requires the values of the attribute cn to be con‐
structed by pairing values of the attributes sn and givenName, separated by a space, but
only for entries derived from the objectClass inetOrgPerson.
FILES
/etc/ldap/slapd.conf
default slapd configuration file
SEE ALSO
slapd.conf(5), slapd-config(5),
ACKNOWLEDGEMENTS
This module was written in 2005 by Neil Dunbar of Hewlett-Packard and subsequently
extended by Howard Chu and Emmanuel Dreyfus. OpenLDAP Software is developed and main‐
tained by The OpenLDAP Project <http://www.openldap.org/>. OpenLDAP Software is derived
from University of Michigan LDAP 3.3 Release.
OpenLDAP 2014/09/20 SLAPO-CONSTRAINT(5)
|
