Re: slapo-unique spins its wheels on a non-trivial olcUniqueURI spec

["Norman Gray" <gray@nxg.name>]

Michael, hello.

Thanks for your response.

On 10 Sep 2019, at 19:33, Michael Ströder wrote:

> The above is invalid. Your LDIF should contain separate attribute 
> values for each unique URI:
>
> olcUniqueURI: ldap:///ou=dept-A,o=example?uidnumber?sub
> olcUniqueURI: ldap:///ou=dept-B,o=example?uidnumber?sub

The problem is that both the manpage and the source-code comments seem 
to state that the attribute can take multiple values.  Quoting from the 
manpage:

>  Multiple URIs may be specified within a domain,
> allowing complex selections of objects. Multiple unique_uri            
> statements or olcUniqueURI attributes will create independent
> domains

I interpret that as saying that each olcUniqueURI attribute corresponds 
to, or implies, an 'independent domain', and that 'Multiple URIs may be 
specified within a domain' indicates that a domain can be specified by 
multiple ldap:/// URIs (though it doesn't say, for example, whether 
these are composed using UNION or something else).  That is, if this 
text _isn't_ intended to say that there may be multiple olcUniqueURI 
attributes, each of which can have multiple URIs, then it should be 
rewritten.

I would interpret your rewritten version as saying that uidnumber 
attributes should be unique in ou=dept-A, and that they should be unique 
in ou=dept-B (ie, they are independent), but not that they should be 
unique in (ou=dept-A UNION ou=dept-B), which is what I want.

So there is at least a documentation gap here.

> Of course slapd should not run crazy because of this.

Is there enough information in my previous message for me to add a 
reasonable ITS report, do you think?

> You can look at a running example config (cn=config read-only):

Thanks -- this is very useful (and also nudges investigating Ædir 
further up my list).  I'll study those.

Best wishes,

Norman


--
Norman Gray  :  https://nxg.me.uk