Configuring globally unique attributes

The PingDirectoryProxy server supports a globally unique attribute plugin that prevents any value within a defined set of attributes to appear more than once in any entry for one or more subtree views.

Administrators can also configure whether conflict validation should be checked before an add, modify, or modifyDN request to one or more backend servers or after the change has successfully completed.

For example, if the pre-commit-validation property is enabled, the Globally Unique Attribute Plugin performs one or more searches to determine whether any entries conflict with the change, such as add, modify, or modifyDN. If a conflict is detected, the change request is rejected. If the post-commit-validation property is enabled, the server performs one or more searches after the change has been processed to determine if a conflict was created in multiple servers at the same time. If a conflict is detected in this manner, an administrative alert is generated to notify administrators of the problem so that they can take any manual corrective action.

The Globally Unique Attribute plugin attempts to detect and prevent unique attribute conflicts for changes processed through this PingDirectoryProxy server, but it cannot detect conflicts introduced by changes applied by clients communicating directly with backend servers.

You should enable the plugin for all backend servers with the same configuration so that conflicts can be detected within individual backend server instances. However, the Unique Attribute plugin alone might not be sufficient for cases in which the content is split across multiple sets of servers, such as in an entry-balanced environment or in proxy configurations with different branches on different servers.

The LDAP SDK uniqueness request control can be used for enforcing uniqueness on a per-request basis. See the LDAP SDK documentation and the com.unboundid.ldap.sdk.unboundidds.controls.UniquenessResponseControl class for using the control. See the ASN.1 specification to implement support for it in other APIs.

In most cases, pre-commit validation should be sufficient to prevent conflicts. However, you should periodically run the identify-unique-attribute-conflicts tool to find any conflicts that might have arisen.

The following example shows how to configure the Globally Unique Attribute plugin. The example defines an attribute set consisting of the telephoneNumber and mobile attributes within the test-view subtree view.

The multiple-attribute-behavior property determines the scope of how attributes might differ among entries and is the same property for the directory server plugin. The property is set to unique-across-all-attributes-including-in-same-entry, which indicates that the telephone and mobile attributes must be unique throughout the subtree view, even within an entry.

The pre-commit-validation property ensures that the Globally Unique Attribute Plugin performs one or more searches to determine whether any entries conflict with the change, such as add, modify, or modifyDN. If a conflict is detected, the change request is rejected.