PingDirectory

Working with the Unique Attribute plugin

The Unique Attribute plugin enforces uniqueness constraints on the values of one or more attributes across a portion of the PingDirectory server. The plugin checks for uniqueness before an add, modify, or modify distinguished name (DN) request and instructs the server to reject the request if a constraint violation is found.

About this task

By default, the plugin is disabled because it can affect performance in heavy write load environments. After the plugin is enabled, it does not check for attribute uniqueness on existing entries, only on new ADD, MODIFY, or MODDN operations. To ensure that no such conflicts exist in the data, administrators can use the identify-unique-attribute-conflicts command.

Ensure all attributes to enforce for uniqueness are indexed for equality in all backends. Use the LDAP SDK uniqueness request control for enforcing uniqueness on a per-request basis. For more information on the LDAP SDK documentation and the com.unboundid.ldap.sdk.unboundidds.controls.UniquenessResponseControl class for using the control, see Use the server SDK and LDAP SDK. See the ASN.1 specification to implement support for it in other APIs.

You can enforce attribute uniqueness in replicated environments in which each replica contains the complete set of data for which to provide uniqueness, regardless of whether clients communicate directly with the server or interact with it through a PingDirectoryProxy server. In such environments, all servers have identical uniqueness configurations.

It is not possible to prevent conflicts that arise from simultaneous writes on separate replicas. However, such conflicts are detected after the changes have been replicated and then triggers administrative alert notifications.

For proxied environments that do not have the complete set of data on all servers, such as environments that use entry balancing or that store different portions of the DIT on different servers, implement the Global Uniqueness Attribute plugin on the PingDirectoryProxy server instead of enabling the attribute uniqueness plugin on the PingDirectory server. For more information, see the PingDirectory Server Administration Guide and the PingDirectoryProxy Server Administration Guide.

To enable the Unique Attribute plugin:

Steps

  1. Determine which attributes must be unique in your data.

  2. To enable the plugin, run the dsconfig tool.

    By default, the plugin type property is set to postsynchronizationadd, postsynchronizationmodify, postsynchronizationmodifydn, preoperationadd, preoperationmodify, and preopertionmodifydn.

    Example:

    The following example checks for attribute uniqueness before an ADD operation using the --set plugin-type:preoperationadd option.

    $ bin/dsconfig set-plugin-prop --plugin-name "UID Unique Attribute" \
      --set enabled:true
    1. If you want to set one plugin type, use the --set plugin-type:<operation-type> option.