By default, the Referential Integrity plugin is disabled. When enabled, the plugin performs integrity updates on the specified attributes, such as member or uniquemember, after a delete, modify DN, or a rename, such as subordinate modifyDN, operation is logged to the logs/ referint file. If an entry is deleted, the plugin checks the log file and makes the corresponding change to the associated group entry.

Important points about the Referential Integrity plugin:

  • Index all specified attributes that are configured for Referential Integrity.
  • On replicated servers, the Referential Integrity plugin configuration is not propagated to other replicas. You must manually enable the plugin on each replica.
  • The plugin settings must be identical on all machines.
  • If the Referential Integrity plugin is enabled and configured to operate in synchronous mode, subtree delete operations are not allowed. You must configure the plugin to operate in asynchronous mode by specifying a nonzero update interval for subtree delete operations to perform.

Enable the Referential Integrity plugin.

  1. Determine the attributes needed for your system.

    By default, the member and the uniquemember attributes are set for the plugin.

  2. To enable the Referential Integrity plugin, run the dsconfig tool.
    $ bin/dsconfig set-plugin-prop --plugin-name "Referential Integrity" \
      --set enabled:true