Referential integrity is a plugin mechanism that maintains the DN references between an entry and a group member attribute. For example, if you have a group entry consisting of member attributes specifying the DNs of printers, you can enable the referential integrity plugin to ensure that the group entry is automatically removed if a printer entry is removed from the Directory Server.

The Referential Integrity plugin is disabled by default. When enabled, the plugin performs integrity updates on the specified attributes (for example, member or uniquemember) after a delete, modify DN, or a rename (i.e., subordinate modifyDN) operation is logged to the logs/ referint file. If an entry is deleted, the plugin checks the log file and makes the corresponding change to the associated group entry.

Three important points about the Referential Integrity plugin:
  • All specified attributes that are configured for Referential Integrity must be indexed.
  • On replicated servers, the Referential Integrity plugin configuration is not propagated to other replicas; therefore, you must manually enable the plugin on each replica.
  • The plugin settings must also be identical on all machines.
  • Subtree delete operations are not allowed if the referential integrity plugin is enabled and configured to operate in synchronous mode. It must be configured to operate in asynchronous mode (by specifying a nonzero update interval) if subtree delete operations will be performed.