OpenLDAP TechTip:
Referential Integrity Overlay
James Ozone,
Symas Corporation,
December 10th 2004
Abstract
In X.500 directory services, an object is identified by its
distinguished name (DN). However, DNs are not stable identifiers. That
is, a new object may be identified by a DN which previously identified
another (now renamed or deleted) object.
The Solution
When implementing a directory where entries reference other entries
by their DN, it is necessary to update these references as the
referenced entries are modified. The referential integrity overlay
ensures that DN references are kept up to date as modifications occur.
The modular nature of overlays allows this functionality to be implemented
for a particular directory regardless of its underlying backend database.
For example, the manager attribute: if the manager's entry is removed from
the directory, any instance of the manager attribute which refers to that
entry should also be removed, or the attribute quickly becomes meaningless.
Typical Configuration
modulepath /opt/symas/lib/openldap
moduleload back_hdb.la
moduleload refint.la
database hdb
cachesize 10000
suffix "dc=symas,dc=com"
rootdn "cn=Manager,dc=symas,dc=com"
rootpw ashcroft
index default eq
index objectClass,uid,dc,o,ou
index member,owner,seeAlso
overlay refint
refint_attributes member,owner,seeAlso
Here, the directory "dc=symas,dc=com" has been configured with referential
integrity checking for the attributes "member", "owner" and "seeAlso".
When a modification (specifically, a modrdn or delete operation) is performed
on this directory, entries using these attributes to refer to the modified
entry will be updated to match, so that the directory remains consistent.
|
|
|
