2006-04-29 18:03:36 +08:00
|
|
|
.TH SLAPO-CONSTRAINT 5 "RELEASEDATE" "OpenLDAP LDVERSION"
|
|
|
|
.\" Copyright 2005-2006 Hewlett-Packard Company
|
2012-01-01 23:07:45 +08:00
|
|
|
.\" Copyright 2006-2012 The OpenLDAP Foundation All Rights Reserved.
|
2006-04-29 18:03:36 +08:00
|
|
|
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
|
2007-12-15 19:12:56 +08:00
|
|
|
.\" $OpenLDAP$
|
2006-04-29 18:03:36 +08:00
|
|
|
.SH NAME
|
2009-06-03 08:43:44 +08:00
|
|
|
slapo\-constraint \- Attribute Constraint Overlay to slapd
|
2006-04-29 18:03:36 +08:00
|
|
|
.SH SYNOPSIS
|
|
|
|
ETCDIR/slapd.conf
|
|
|
|
.SH DESCRIPTION
|
2007-12-15 19:12:56 +08:00
|
|
|
The constraint overlay is used to ensure that attribute values match
|
|
|
|
some constraints beyond basic LDAP syntax. Attributes can
|
2006-04-29 18:03:36 +08:00
|
|
|
have multiple constraints placed upon them, and all must be satisfied
|
|
|
|
when modifying an attribute value under constraint.
|
|
|
|
.LP
|
|
|
|
This overlay is intended to be used to force syntactic regularity upon
|
|
|
|
certain string represented data which have well known canonical forms,
|
|
|
|
like telephone numbers, post codes, FQDNs, etc.
|
2008-02-08 07:21:18 +08:00
|
|
|
.LP
|
2008-09-19 05:09:49 +08:00
|
|
|
It constrains only LDAP \fIadd\fP, \fImodify\fP and \fIrename\fP commands
|
|
|
|
and only seeks to control the \fIadd\fP and \fIreplace\fP values
|
|
|
|
of \fImodify\fP and \fIrename\fP requests.
|
2008-09-19 05:12:13 +08:00
|
|
|
.LP
|
|
|
|
No constraints are applied for operations performed with the
|
|
|
|
.I relax
|
|
|
|
control set.
|
2006-04-29 18:03:36 +08:00
|
|
|
.SH CONFIGURATION
|
|
|
|
This
|
|
|
|
.B slapd.conf
|
|
|
|
option applies to the constraint overlay.
|
|
|
|
It should appear after the
|
|
|
|
.B overlay
|
|
|
|
directive.
|
|
|
|
.TP
|
2008-09-18 04:59:58 +08:00
|
|
|
.B constraint_attribute <attribute_name>[,...] <type> <value> [<extra> [...]]
|
|
|
|
Specifies the constraint which should apply to the comma-separated
|
|
|
|
attribute list named as the first parameter.
|
2009-06-03 08:18:42 +08:00
|
|
|
Five types of constraint are currently supported -
|
2008-09-17 08:40:18 +08:00
|
|
|
.BR regex ,
|
|
|
|
.BR size ,
|
|
|
|
.BR count ,
|
|
|
|
.BR uri ,
|
2007-12-15 19:12:56 +08:00
|
|
|
and
|
2008-09-17 08:40:18 +08:00
|
|
|
.BR set .
|
2007-12-15 19:12:56 +08:00
|
|
|
|
2006-04-29 18:03:36 +08:00
|
|
|
The parameter following the
|
2007-12-15 19:12:56 +08:00
|
|
|
.B regex
|
2006-04-29 18:03:36 +08:00
|
|
|
type is a Unix style regular expression (See
|
2007-12-15 19:12:56 +08:00
|
|
|
.BR regex (7)
|
|
|
|
). The parameter following the
|
|
|
|
.B uri
|
|
|
|
type is an LDAP URI. The URI will be evaluated using an internal search.
|
|
|
|
It must not include a hostname, and it must include a list of attributes
|
|
|
|
to evaluate.
|
2006-04-29 18:03:36 +08:00
|
|
|
|
2008-09-17 08:40:18 +08:00
|
|
|
The parameter following the
|
|
|
|
.B set
|
|
|
|
type is a string that is interpreted according to the syntax in use
|
|
|
|
for ACL sets. This allows to construct constraints based on the contents
|
|
|
|
of the entry.
|
|
|
|
|
2008-05-09 20:59:16 +08:00
|
|
|
The
|
|
|
|
.B size
|
2008-09-17 05:38:12 +08:00
|
|
|
type can be used to enforce a limit on an attribute length, and the
|
2008-05-09 20:59:16 +08:00
|
|
|
.B count
|
2008-09-17 05:38:12 +08:00
|
|
|
type limits the number of values of an attribute.
|
2008-05-09 20:59:16 +08:00
|
|
|
|
2008-09-18 04:59:58 +08:00
|
|
|
Extra parameters can occur in any order after those described above.
|
|
|
|
.RS
|
|
|
|
.TP
|
|
|
|
.B <extra> : restrict=<uri>
|
|
|
|
.RE
|
|
|
|
|
|
|
|
.RS
|
|
|
|
This extra parameter allows to restrict the application of the corresponding
|
|
|
|
constraint only to entries that match the
|
|
|
|
.IR base ,
|
|
|
|
.I scope
|
|
|
|
and
|
|
|
|
.I filter
|
|
|
|
portions of the LDAP URI.
|
|
|
|
The
|
|
|
|
.IR base ,
|
|
|
|
if present, must be within the naming context of the database.
|
|
|
|
The
|
|
|
|
.I scope
|
|
|
|
is only used when the
|
|
|
|
.I base
|
|
|
|
is present; it defaults to
|
|
|
|
.BR base .
|
|
|
|
The other parameters of the URI are not allowed.
|
|
|
|
.RE
|
|
|
|
|
|
|
|
.LP
|
2006-04-29 18:03:36 +08:00
|
|
|
Any attempt to add or modify an attribute named as part of the
|
2007-12-15 19:12:56 +08:00
|
|
|
constraint overlay specification which does not fit the
|
|
|
|
constraint listed will fail with a
|
2006-04-29 18:03:36 +08:00
|
|
|
LDAP_CONSTRAINT_VIOLATION error.
|
|
|
|
.SH EXAMPLES
|
2007-12-15 19:12:56 +08:00
|
|
|
.LP
|
|
|
|
.RS
|
|
|
|
.nf
|
|
|
|
overlay constraint
|
2008-05-09 20:59:16 +08:00
|
|
|
constraint_attribute jpegPhoto size 131072
|
|
|
|
constraint_attribute userPassword count 3
|
2009-01-20 04:39:45 +08:00
|
|
|
constraint_attribute mail regex ^[[:alnum:]]+@mydomain.com$
|
2007-12-15 19:12:56 +08:00
|
|
|
constraint_attribute title uri
|
|
|
|
ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
|
2008-09-17 08:40:18 +08:00
|
|
|
constraint_attribute cn,sn,givenName set
|
|
|
|
"(this/givenName + [ ] + this/sn) & this/cn"
|
2008-09-18 05:11:38 +08:00
|
|
|
restrict="ldap:///ou=People,dc=example,dc=com??sub?(objectClass=inetOrgPerson)"
|
2007-12-15 19:12:56 +08:00
|
|
|
.fi
|
2006-04-29 18:03:36 +08:00
|
|
|
|
2008-09-17 08:40:18 +08:00
|
|
|
.RE
|
2006-04-29 18:03:36 +08:00
|
|
|
A specification like the above would reject any
|
2007-12-15 19:12:56 +08:00
|
|
|
.B mail
|
2006-04-29 18:03:36 +08:00
|
|
|
attribute which did not look like
|
2008-07-13 00:03:31 +08:00
|
|
|
.BR "<alpha-numeric string>@mydomain.com" .
|
2007-12-15 19:12:56 +08:00
|
|
|
It would also reject any
|
|
|
|
.B title
|
|
|
|
attribute whose values were not listed in the
|
|
|
|
.B title
|
|
|
|
attribute of any
|
|
|
|
.B titleCatalog
|
2009-06-03 08:18:42 +08:00
|
|
|
entries in the given scope. (Note that the
|
|
|
|
"dc=catalog,dc=example,dc=com" subtree ought to reside
|
|
|
|
in a separate database, otherwise the initial set of
|
|
|
|
titleCatalog entries could not be populated while the
|
|
|
|
constraint is in effect.)
|
2008-09-17 08:40:18 +08:00
|
|
|
Finally, it requires the values of the attribute
|
|
|
|
.B cn
|
|
|
|
to be constructed by pairing values of the attributes
|
|
|
|
.B sn
|
|
|
|
and
|
|
|
|
.BR givenName ,
|
2008-09-18 04:59:58 +08:00
|
|
|
separated by a space, but only for entries derived from the objectClass
|
2008-09-18 05:11:38 +08:00
|
|
|
.BR inetOrgPerson .
|
2007-12-15 19:12:56 +08:00
|
|
|
.RE
|
2006-04-29 18:03:36 +08:00
|
|
|
.SH FILES
|
|
|
|
.TP
|
|
|
|
ETCDIR/slapd.conf
|
|
|
|
default slapd configuration file
|
|
|
|
.SH SEE ALSO
|
2009-01-30 08:23:58 +08:00
|
|
|
.BR slapd.conf (5),
|
|
|
|
.BR slapd\-config (5),
|
2007-12-15 19:12:56 +08:00
|
|
|
.SH ACKNOWLEDGEMENTS
|
|
|
|
This module was written in 2005 by Neil Dunbar of Hewlett-Packard and subsequently
|
|
|
|
extended by Howard Chu and Emmanuel Dreyfus.
|
|
|
|
.so ../Project
|