If a user entry is deleted, the referential integrity plugin removes that user from any static groups in which the user was a member. This is not necessary for dynamic groups because no explicit membership is maintained. Similarly, if a modify distinguish name (DN) operation is performed to move or rename a user entry, then referential integrity updates static groups in which that user is a member with the new user DN.

In the default configuration, the referential integrity processing performs synchronously. Because the necessary cleanup work must complete before the response to the original operation returns, the throughput and response time of delete and modify DN operations might be adversely impacted. To alleviate this performance impact, change the configuration to use a non-zero update interval. As a result, the referential integrity process uses a separate background thread and does not significantly delay the response to delete or modify DN operations.

Performing referential integrity processing in a background thread can introduce a race condition that might adversely impact clients that delete a user and then immediately attempt to re-add it and establish new group memberships. For example, if referential integrity processing has not yet been completed for the delete, then newly-established group memberships might be removed along with those that existed for the previous user. Similarly, if the newly-created user is to be a member of one or more of the same groups as the previous user, then the client attempts to re-establish those memberships can fail if the referential integrity processing has not removed the previous membership. Use the default synchronous behavior unless the performance impact associated with synchronous referential integrity processing is unacceptable or clients might be affected by delayed referential integrity processing.

Other configuration attributes for this plugin include:

Referential integrity plugin configuration attributes and their descriptions
Configuration attribute Description

attribute-type

This attribute specifies the names or OIDs of the attribute types for which referential integrity will be maintained. By default, referential integrity is maintained for the member and uniqueMember attributes. Any attribute types specified must have a syntax of either distinguished name (OID "1.3.6.1.4.1.1466.115.121.1.12") or name and optional UID (OID "1.3.6.1.4.1.1466.115.121.1.34"). The specified attribute types must also be indexed for equality in all backends for which referential integrity is to be maintained.

base-dn

This attribute specifies the subtrees for which referential integrity will be maintained. If one or more values are provided, then referential integrity processing will only be performed for entries which exist within those portions of the DIT. By default, If no values are provided then entries within all public naming contexts will be included.

log-file

This attribute specifies the path to a log file that can be used to hold information about the DNs of deleted or renamed entries. If the plugin is configured with a nonzero update interval, this log file helps ensure that appropriate referential integrity processing occurs even if the server is restarted.

update-interval

This attribute specifies the maximum length of time that a background thread can sleep between checks of the referential integrity log file to determine whether any referential integrity processing is required. By default, this attribute has a value of "0 seconds", which indicates that all referential integrity processing is to be performed synchronously before a response is returned to the client. A duration greater than 0 seconds indicates that referential integrity processing will be performed in the background and will not delay the response to the client.

By default, referential integrity support is disabled. To enable the support:

  • Use the dsconfig tool as shown.
    $ bin/dsconfig set-plugin-prop --plugin-name "Referential Integrity" \ 
      --set enabled:true
    Note:

    The internal operations of the referential integrity plugin are not replicated. In a replicated topology, you must enable the referential integrity plugin on all servers in the topology to ensure that changes made by the referential integrity plugin are passed along to a replication server.

    For more information about administering the referential integrity plugin, see Configuring the Server in PingDirectory Server Administration Guide.