In X.500 directory services, an object is identified by its distinguished name (DN). However, DNs are not stable identifiers. That is, a new object may be identified by a DN which previously identified another (now renamed or deleted) object.

The Solution

When implementing a directory where entries reference other entries by their DN, it is necessary to update these references as the referenced entries are modified. The referential integrity overlay ensures that DN references are kept up to date as modifications occur. The modular nature of overlays allows this functionality to be implemented for a particular directory regardless of its underlying backend database.

For example, the manager attribute: if the manager’s entry is removed from the directory, any instance of the manager attribute which refers to that entry should also be removed, or the attribute quickly becomes meaningless.

Typical Configuration

modulepath /opt/symas/lib/openldap
moduleload back_hdb.la
moduleload refint.la

database hdb
cachesize 10000
suffix “dc=symas,dc=com”

rootdn “cn=Manager,dc=symas,dc=com”
rootpw ashcroft

index default eq
index objectClass,uid,dc,o,ou

index member,owner,seeAlso

overlay refint
refint_attributes member owner seeAlso

Here, the directory “dc=symas,dc=com” has been configured with referential integrity checking for the attributes “member”, “owner” and “seeAlso”. When a modification (specifically, a modrdn or delete operation) is performed on this directory, entries using these attributes to refer to the modified entry will be updated to match, so that the directory remains consistent.

Note: Indexing the attributes defined by refint_attributes is highly advised.