summaryrefslogtreecommitdiffstats
path: root/doc/man/man5/slapo-constraint.5
diff options
context:
space:
mode:
Diffstat (limited to 'doc/man/man5/slapo-constraint.5')
-rw-r--r--doc/man/man5/slapo-constraint.5155
1 files changed, 155 insertions, 0 deletions
diff --git a/doc/man/man5/slapo-constraint.5 b/doc/man/man5/slapo-constraint.5
new file mode 100644
index 0000000..240f713
--- /dev/null
+++ b/doc/man/man5/slapo-constraint.5
@@ -0,0 +1,155 @@
+.TH SLAPO-CONSTRAINT 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2005-2006 Hewlett-Packard Company
+.\" Copyright 2006-2022 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
+.\" $OpenLDAP$
+.SH NAME
+slapo\-constraint \- Attribute Constraint Overlay to slapd
+.SH SYNOPSIS
+ETCDIR/slapd.conf
+.SH DESCRIPTION
+The constraint overlay is used to ensure that attribute values match
+some constraints beyond basic LDAP syntax. Attributes can
+have multiple constraints placed upon them, and all must be satisfied
+when modifying an attribute value under constraint.
+.LP
+This overlay is intended to be used to force syntactic regularity upon
+certain string represented data which have well known canonical forms,
+like telephone numbers, post codes, FQDNs, etc.
+.LP
+It constrains only LDAP \fIadd\fP, \fImodify\fP and \fIrename\fP commands
+and only seeks to control the \fIadd\fP and \fIreplace\fP values
+of \fImodify\fP and \fIrename\fP requests.
+.LP
+No constraints are applied for operations performed with the
+.I relax
+control set.
+.SH CONFIGURATION
+This
+.B slapd.conf
+option applies to the constraint overlay.
+It should appear after the
+.B overlay
+directive.
+.TP
+.B constraint_attribute <attribute_name>[,...] <type> <value> [<extra> [...]]
+Specifies the constraint which should apply to the comma-separated
+attribute list named as the first parameter.
+Six types of constraint are currently supported -
+.BR regex ,
+.BR negregex ,
+.BR size ,
+.BR count ,
+.BR uri ,
+and
+.BR set .
+
+The parameter following the
+.B regex
+or
+.B negregex
+type is a Unix style regular expression (See
+.BR regex (7)
+). The parameter following the
+.B uri
+type is an LDAP URI. The URI will be evaluated using an internal search.
+It must not include a hostname, and it must include a list of attributes
+to evaluate.
+
+The parameter following the
+.B set
+type is a string that is interpreted according to the syntax in use
+for ACL sets. This allows one to construct constraints based on the contents
+of the entry.
+
+The
+.B size
+type can be used to enforce a limit on an attribute length, and the
+.B count
+type limits the number of values of an attribute.
+
+Extra parameters can occur in any order after those described above.
+.RS
+.TP
+.B <extra> : restrict=<uri>
+.RE
+
+.RS
+This extra parameter allows one to restrict the application of the corresponding
+constraint only to entries that match the
+.IR base ,
+.I scope
+and
+.I filter
+portions of the LDAP URI.
+The
+.IR base ,
+if present, must be within the naming context of the database.
+The
+.I scope
+is only used when the
+.I base
+is present; it defaults to
+.BR base .
+The other parameters of the URI are not allowed.
+.RE
+
+.LP
+Any attempt to add or modify an attribute named as part of the
+constraint overlay specification which does not fit the
+constraint listed will fail with a
+LDAP_CONSTRAINT_VIOLATION error.
+.SH EXAMPLES
+.LP
+.RS
+.nf
+overlay constraint
+constraint_attribute jpegPhoto size 131072
+constraint_attribute userPassword count 3
+constraint_attribute mail regex ^[[:alnum:]]+@mydomain.com$
+constraint_attribute mail negregex ^[[:alnum:]]+@notallowed.com$
+constraint_attribute title uri
+ ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
+constraint_attribute cn,sn,givenName set
+ "(this/givenName + [ ] + this/sn) & this/cn"
+ restrict="ldap:///ou=People,dc=example,dc=com??sub?(objectClass=inetOrgPerson)"
+.fi
+
+.RE
+A specification like the above would reject any
+.B mail
+attribute which did not look like
+.BR "<alphanumeric string>@mydomain.com"
+or that looks like
+.BR "<alphanumeric string>@notallowed.com" .
+It would also reject any
+.B title
+attribute whose values were not listed in the
+.B title
+attribute of any
+.B titleCatalog
+entries in the given scope. (Note that the
+"dc=catalog,dc=example,dc=com" subtree ought to reside
+in a separate database, otherwise the initial set of
+titleCatalog entries could not be populated while the
+constraint is in effect.)
+Finally, it requires the values of the attribute
+.B cn
+to be constructed by pairing values of the attributes
+.B sn
+and
+.BR givenName ,
+separated by a space, but only for entries derived from the objectClass
+.BR inetOrgPerson .
+.RE
+.SH FILES
+.TP
+ETCDIR/slapd.conf
+default slapd configuration file
+.SH SEE ALSO
+.BR slapd.conf (5),
+.BR slapd\-config (5),
+.SH ACKNOWLEDGEMENTS
+This module was written in 2005 by Neil Dunbar of Hewlett-Packard and subsequently
+extended by Howard Chu and Emmanuel Dreyfus.
+.so ../Project