Referential integrity plug-in

Edit online

You can know more about referential integrity plug-in and the commands that can be used through the information provided here.

Security Directory Server provides a plug-in named libdelref which is a pre-operation plug-in that enables referential integrity constraints for LDAP Delete operation. The libraries are available at the location:<SDS_HOME>/lib or lib64, and library name varies for different platforms as libdelref.dll (Windows), libdelref.a (AIX®),libdelref.so (Solaris and Linux®). Also, a sample configuration file tdsdelref.conf is available in the /etc directory of the Security Directory Server install location. When an instance is created, the tdsdelref.conf file becomes available in the etc directory of the instance location.

You can enable the plug-in using the attribute ibm-slapdReferentialIntegrityPlugin defined in the imbslapd.conf file. By default, the value of this attribute is false. To enable the plug-in you must modify the attribute value to true and restart the server.

The following lines in the ibmslapd.conf file define the libdelref plug-in:

dn: cn=Directory, cn=RDBM Backends, cn=IBM Directory, cn=Schemas, cn=Configuration
ibm-slapdPlugin: preoperation libdelref.so DeleteReferenceInit 
file=/home/nuser/idsslapd-nuser/etc/tdsdelref.conf dn=o=sample
ibm-slapdReferentialIntegrityPlugin: FALSE

Note: By default the plug-in entry function is "DeleteReferenceInit". However, for debugging purposes the function "DeleteReferenceInitDebug" may be substituted in the <init-function> specification in the ibmslapd.conf file to generate more verbose logging in ibmslapd.log.

Here, the ibm-slapdPlugin attribute defines that the plug-in is a pre-operation plug-in whose library is libdelref.so. The file parameter takes the default value as the complete path of the sample tdsdelref.conf file in the etc directory and the dn parameter takes the default value for the dn under which you want to search for the entries as o=sample.

To enable the plug-in, issue the following command:

idsldapmodify –D <bindDN> –w <password> 

dn: cn=Directory, cn=RDBM Backends, cn=IBM Directory, cn=Schemas, cn=Configuration
ibm-slapdReferentialIntegrityPlugin: True

The plug-in is initialized by reading referential integrity constraint information from the file specified by file parameter and the dn specified by the dn parameter in the tdsdelref.conf file.The tdsdelref.conf file is included for reference purposes. You can use any file as long as it adheres to the following format:

file=<absolutePathToFile>	
dn=<searchDN>

OR

oc=<deleteObjectClass:referenceObjectClass:referenceAttribute>
dn=<searchDN>

where:

absolutePathToFile: is the absolute path to a file containing oc and dn parameters

deleteObjectClass: is the objectclass name of the deleted object for which 
the referential integrity is to be maintained

referenceObjectClass: is the objectclass name of the reference object which 
might contain reference to the deleted object

referenceAttribute: is the attribute name in the referenceObjectClass whose 
value is the reference to the object being deleted

searchDN: is the base DN, where objects need to searched 
(for references to the object being deleted)

The file may contain multiple attributes and search base DN specifications in any order.Each specification is treated literally, so white space before and after a specification is not allowed, and will lead to undesirable results.

Note: There can be multiple instances of "oc" and "dn", separated by spaces.

Let us consider an example of how referential integrity works for a delete operation. Consider an example where the entry in tdsdelref.conf is :

oc=inetOrgPerson:inetOrgPerson:manager

Let us assume there are two users in the DIT, namely:cn=testmanager and cn=testuser. Also, let us assume that the manager of cn=testuser is cn=testmanager. For instance:

dn: cn=testmanager,o=sample
objectclass: inetOrgPerson
sn: manager

dn: cn=testuser,o=sample
objectclass: inetOrgPerson
sn: testuser
manager: cn=testmanager,o=sample

Now, if referential integrity plug-in is enabled and you delete cn=testmanager, then all the references to cn=testmanager for manager attribute in cn=testuser will also get deleted.