I have set an openLDAP server and I have created a custom schema with various fields and it's working perfectly fine. However, I have some fields which I would like to only have some values.
For example, I have a field called deviceLocation and I only want to have the values of EAST, WEST or CENTER.
How can I make this?
Asked
Active
Viewed 109 times
-1
Slye
- 33
- 1
- 7
-
I may be missing something, but wouldn't that in part be a matter of how data is put into LDAP? I can't find anything to suggest it is possible to configure openLDAP to look into the values of objects, but you can restrict who is able to set a given field - maybe ensuring only a specific person, department, or script can populate/modify those fields is one approach? – iwaseatenbyagrue Mar 09 '17 at 08:59
-
i don't understand exactly what you say, but openLDAP can check the values you are putting into the server when you create a new entry, so you can restrict the values a field can have – Slye Mar 09 '17 at 14:55
2 Answers
1
You need to add the constraints overlay to your configuration. It allows you to add regular expressions that the values must match to be accepted by add or change operations. Alternatively, it would allow you to create a subtree with all allowed locations and then check if th value you try to add is listed in that subtree.
http://www.openldap.org/doc/admin24/overlays.html#Constraints
Sven
- 98,649
- 14
- 180
- 226
1
For future reference: as @Sven indicated, i used constraints to solve the problem. In my case, I create one ldif file to activate the constraint module:
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: constraint.la
And another one to configure it:
dn: olcOverlay=constraint,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConstraintConfig
olcOverlay: constraint
olcConstraintAttribute: deviceLocation regex ^(EAST|WEST|CENTER)$
Uploaded the files with ldapadd and worked like a charm
Slye
- 33
- 1
- 7