Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SLAPO-CONSTRAINT(5)	      File Formats Manual	   SLAPO-CONSTRAINT(5)

NAME
       slapo-constraint	- Attribute Constraint Overlay to slapd

SYNOPSIS
       /usr/local/etc/openldap/slapd.conf

DESCRIPTION
       The  constraint	overlay	 is used to ensure that	attribute values match
       some constraints	beyond basic LDAP syntax.  Attributes can have	multi-
       ple  constraints	placed upon them, and all must be satisfied when modi-
       fying an	attribute value	under constraint.

       This overlay is intended	to be used to force syntactic regularity  upon
       certain	string represented data	which have well	known canonical	forms,
       like telephone numbers, post codes, FQDNs, etc.

       It constrains only LDAP add, modify and rename commands and only	 seeks
       to control the add and replace values of	modify and rename requests.

       No constraints are applied for operations performed with	the relax con-
       trol set.

CONFIGURATION
       This slapd.conf option applies to the constraint	 overlay.   It	should
       appear after the	overlay	directive.

       constraint_attribute  <attribute_name>[,...]  <type>  <value>  [<extra>
       [...]]
	      Specifies	the constraint which should apply to  the  comma-sepa-
	      rated  attribute	list named as the first	parameter.  Five types
	      of constraint are	currently supported - regex, size, count, uri,
	      and set.

	      The  parameter  following	the regex type is a Unix style regular
	      expression (See regex(7) ). The parameter	following the uri type
	      is  an  LDAP  URI.  The  URI will	be evaluated using an internal
	      search.  It must not include a hostname, and it must  include  a
	      list of attributes to evaluate.

	      The  parameter following the set type is a string	that is	inter-
	      preted according to the syntax in	use for	ACL sets.  This	allows
	      one to construct constraints based on the	contents of the	entry.

	      The  size	 type  can  be used to enforce a limit on an attribute
	      length, and the count type limits	the number of values of	an at-
	      tribute.

	      Extra  parameters	 can  occur in any order after those described
	      above.

	      <extra> :	restrict=<uri>

	      This extra parameter allows one to restrict the  application  of
	      the  corresponding  constraint  only  to	entries	that match the
	      base, scope and filter portions of the LDAP URI.	The  base,  if
	      present, must be within the naming context of the	database.  The
	      scope is only used when the base	is  present;  it  defaults  to
	      base.  The other parameters of the URI are not allowed.

       Any  attempt  to	 add  or modify	an attribute named as part of the con-
       straint overlay specification which does	not fit	the constraint	listed
       will fail with a	LDAP_CONSTRAINT_VIOLATION error.

EXAMPLES
	      overlay constraint
	      constraint_attribute jpegPhoto size 131072
	      constraint_attribute userPassword	count 3
	      constraint_attribute mail	regex ^[[:alnum:]]+@mydomain.com$
	      constraint_attribute title uri
		ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
	      constraint_attribute cn,sn,givenName set
		"(this/givenName + [ ] + this/sn) & this/cn"
		restrict="ldap:///ou=People,dc=example,dc=com??sub?(objectClass=inetOrgPerson)"

       A  specification	 like  the above would reject any mail attribute which
       did not look like <alpha-numeric	string>@mydomain.com.  It  would  also
       reject  any  title  attribute whose values were not listed in the title
       attribute of any	titleCatalog entries in	the given  scope.  (Note  that
       the  "dc=catalog,dc=example,dc=com"  subtree ought to reside in a sepa-
       rate database, otherwise	the initial set	of titleCatalog	entries	 could
       not  be	populated while	the constraint is in effect.)  Finally,	it re-
       quires the values of the	attribute cn to	be constructed by pairing val-
       ues  of the attributes sn and givenName,	separated by a space, but only
       for entries derived from	the objectClass	inetOrgPerson.

FILES
       /usr/local/etc/openldap/slapd.conf
	      default slapd configuration file

SEE ALSO
       slapd.conf(5), slapd-config(5),

ACKNOWLEDGEMENTS
       This module was written in 2005 by Neil Dunbar of  Hewlett-Packard  and
       subsequently  extended  by  Howard  Chu and Emmanuel Dreyfus.  OpenLDAP
       Software	 is  developed	and  maintained	 by   The   OpenLDAP   Project
       <http://www.openldap.org/>.  OpenLDAP Software is derived from the Uni-
       versity of Michigan LDAP	3.3 Release.

OpenLDAP 2.4.51			  2020/08/11		   SLAPO-CONSTRAINT(5)

NAME | SYNOPSIS | DESCRIPTION | CONFIGURATION | EXAMPLES | FILES | SEE ALSO | ACKNOWLEDGEMENTS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=slapo-constraint&sektion=5&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help