Some attribute values ought to remain unique. If you are using uid values as RDNs to distinguish between millions of user entries stored under ou=People, then you do not want your directory to contain two or more identical uid values. If your credit card or mobile number is stored as an attribute value on your directory entry, you certainly do not want to share that credit card or mobile number with another customer. The same is true for your email address. Unique attribute values The difficulty for you as directory administrator lies in implementing attribute value uniqueness without sacrificing the high availability that comes from using OpenDJ's loosely consistent, multi-master data replication. Indeed OpenDJ's replication model lets you maintain write access during network outages for directory applications. Yet, write access during a network outage can result in the same, theoretically unique attribute value getting assigned to two different entries at once. You do not notice the problem until the network outage goes away and replication resumes. This chapter shows you how to set up attribute value uniqueness in your directory environment. OpenDJ provides a unique attribute plugin that you configure by using the dsconfig command. By default, the plugin is prepared to ensure attribute values are unique for uid attributes. Set the base DN where uid should have unique values, and enable the plugin. $ dsconfig set-plugin-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --plugin-name "UID Unique Attribute" --set base-dn:ou=people,dc=example,dc=com --set enabled:true --trustAll --no-prompt Alternatively, you can specify multiple base DNs for unique values across multiple suffixes. $ dsconfig set-plugin-prop --port 4444 --hostname opendj.example.com --bindDn "cn=Directory Manager" --bindPassword password --plugin-name "UID Unique Attribute" --set enabled:true --add base-dn:ou=people,dc=example,dc=com --add base-dn:ou=people,dc=example,dc=org --trustAll --no-prompt Check that the plugin is working correctly. $ cat bjensen.ldif dn: uid=ajensen,ou=People,dc=example,dc=com changetype: modify add: uid uid: bjensen $ ldapmodify --defaultAdd --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --filename bjensen.ldif Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com MODIFY operation failed Result Code: 19 (Constraint Violation) Additional Information: A unique attribute conflict was detected for \ attribute uid: value bjensen already exists in entry uid=bjensen,ou=People,dc=example,dc=com If you have set up multiple suffixes, you might try something like this. $ cat bjensen.ldif dn: uid=bjensen,ou=People,dc=example,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Babs sn: Jensen uid: bjensen $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename bjensen.ldif Processing ADD request for uid=bjensen,ou=People,dc=example,dc=org ADD operation failed Result Code: 19 (Constraint Violation) Additional Information: A unique attribute conflict was detected for attribute uid: value bjensen already exists in entry uid=bjensen,ou=People,dc=example,dc=com You can also configure the unique attribute plugin for use with other attributes, such as mail, mobile, or attributes you define, for example cardNumber. Before you set up the plugin, index the attribute for equality. Set up the plugin configuration for your attribute. $ dsconfig create-plugin --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --plugin-name "Unique mobile numbers" --type unique-attribute --set enabled:true --set base-dn:ou=people,dc=example,dc=com --set type:mobile --trustAll --no-prompt Check that the plugin is working correctly. $ cat mobile.ldif dn: uid=ajensen,ou=People,dc=example,dc=com changetype: modify add: mobile mobile: +1 828 555 1212 dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify add: mobile mobile: +1 828 555 1212 $ ldapmodify --defaultAdd --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --filename mobile.ldif Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=ajensen,ou=People,dc=example,dc=com Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com MODIFY operation failed Result Code: 19 (Constraint Violation) Additional Information: A unique attribute conflict was detected for attribute mobile: value +1 828 555 1212 already exists in entry uid=ajensen,ou=People,dc=example,dc=com Replication Unique attributes The unique attribute plugin ensures unique attribute values on the directory server where the attribute value is updated. If client applications separately write the same attribute value at the same time on different directory replicas, it is possible that both servers consider the duplicate value unique, especially if the network is down between the replicas. Enable the plugin identically on all replicas. To avoid duplicate values where possible, try one of the following solutions. Use a load balancer or proxy technology to direct all updates to the unique attribute to the same directory server. The drawback here is the need for an additional component to direct the updates to the same server, and to manage failover should that server go down. Configure safe read mode assured replication between replicas storing the unique attribute. The drawbacks here are the cost of safe read assured replication, and the likelihood that assured replication can enter degraded mode during a network outage, thus continuing to allow updates during the outage.