Configuring the Global Referential Integrity plugin
PingDirectoryProxy supports a global referential integrity plugin mechanism that maintains distinguished name (DN) references from a specified set of attributes to entries that exist in the server, such as between the members values of a static group and the corresponding user entries.
The plugin intercepts delete
and modifyDN
operations and updates any references to the target entry. For a delete
operation, any references to the target entry are removed. For modifyDN
operations, any references to the target entry are updated to reflect the new DN of the entry.
The plugin is similar to the Directory Server Referential Integrity plugin but does not have an asynchronous mode. When enabled on the PingDirectoryProxy server, the client response is delayed until the referential integrity processing is complete.
For PingDirectoryProxy server deployments not using entry balancing and using directory server external servers, use the Referential Integrity plugin on the directory server.
An equality index must be defined on all attributes referenced within the Global Referential Integrity plugin across all external servers. |
Sample Global Referential Integrity plugin
Steps
-
To configure the Global Referential Integrity plugin, run
dsconfig
with thecreate-plugin
option.Any attributes for which referential integrity should be maintained should have values that are DNs and should be indexed for equality in all backend servers.
Example:
In this example, the plugin ensures that the
member
,uniqueMember
, andmanager
attributes maintain their DN references in the defined subtree views.$ bin/dsconfig create-plugin \ --plugin-name "Global Referential Integrity" \ --type global-referential-integrity \ --set "enabled:true" \ --set "attribute-type:member" \ --set "attribute-type:uniqueMember" \ --set "attribute-type:manager" \ --set "subtree-view:employee-view" \ --set "subtree-view:groups-view"