The Directory Server can automatically update references to an entry whenever that entry is removed or renamed in a process called referential integrity. For example, if a user entry is deleted, then referential integrity plugin will remove that user from any static groups in which the user was a member (this is not necessary for dynamic groups, since no explicit membership is maintained). Similarly, if a modify DN operation is performed to move or rename a user entry, then referential integrity updates static groups in which that user is a member with the new user DN.
$ bin/dsconfig set-plugin-prop --plugin-name "Referential Integrity" \ --set enabled:true
attribute-type. This attribute specifies the names or OIDs of the attribute types
for which referential integrity will be maintained. By default, referential integrity is
maintained for the
uniqueMemberattributes. Any attribute types specified must have a syntax of either distinguished name (OID "184.108.40.206.4.1.14220.127.116.11.12") or name and optional UID (OID "18.104.22.168.4.1.1422.214.171.124.34"). The specified attribute types must also be indexed for equality in all backends for which referential integrity is to be maintained.
- base-dn. This attribute specifies the subtrees for which referential integrity will be maintained. If one or more values are provided, then referential integrity processing will only be performed for entries which exist within those portions of the DIT. If no values are provided (which is the default behavior), then entries within all public naming contexts will be included.
- log-file. This attribute specifies the path to a log file that may be used to hold information about the DNs of deleted or renamed entries. If the plugin is configured with a nonzero update interval, this log file helps ensure that appropriate referential integrity processing occurs even if the server is restarted.
- update-interval. This attribute specifies the maximum length of time that a background thread may sleep between checks of the referential integrity log file to determine whether any referential integrity processing is required. By default, this attribute has a value of "0 seconds", which indicates that all referential integrity processing is to be performed synchronously before a response is returned to the client. A duration greater than 0 seconds indicates that referential integrity processing will be performed in the background and will not delay the response to the client.
In the default configuration, where referential integrity processing is performed synchronously, the throughput and response time of delete and modify DN operations may be adversely impacted because the necessary cleanup work must be completed before the response to the original operation can be returned. Changing the configuration to use a non-zero update interval alleviates this performance impact because referential integrity processing uses a separate background thread and does not significantly delay the response to delete or modify DN operations.
For more information about administering the referential integrity plugin, see Chapter 6, “Configuring the Directory Server” in the PingDirectory Server Administration Guide.