SLAPO-CONSTRAINT(5) File Formats Manual SLAPO-CONSTRAINT(5)
NAME
slapo-constraint - Attribute Constraint Overlay to slapd
SYNOPSIS
/etc/ldap/slapd.conf
DESCRIPTION
The constraint overlay is used to ensure that attribute values match
some constraints beyond basic LDAP syntax. Attributes can have multiple
constraints placed upon them, and all must be satisfied when modifying
an attribute value under constraint.
This overlay is intended to be used to force syntactic regularity upon
certain string represented data which have well known canonical forms,
like telephone numbers, post codes, FQDNs, etc.
It constrains only LDAP add, modify and rename commands and only seeks
to control the add and replace values of modify and rename requests.
No constraints are applied for operations performed with the relax con-
trol set.
CONFIGURATION
This slapd.conf option applies to the constraint overlay. It should ap-
pear after the overlay directive.
constraint_attribute <attribute_name>[,...] <type> <value> [<extra>
[...]]
Specifies the constraint which should apply to the comma-sepa-
rated attribute list named as the first parameter. Six types of
constraint are currently supported - regex, negregex, size,
count, uri, and set.
The parameter following the regex or negregex type is a Unix
style regular expression (See regex(7) ). The parameter following
the uri type is an LDAP URI. The URI will be evaluated using an
internal search. It must not include a hostname, and it must in-
clude a list of attributes to evaluate.
The parameter following the set type is a string that is inter-
preted according to the syntax in use for ACL sets. This allows
one to construct constraints based on the contents of the entry.
The size type can be used to enforce a limit on an attribute
length, and the count type limits the number of values of an at-
tribute.
Extra parameters can occur in any order after those described
above.
<extra> : restrict=<uri>
This extra parameter allows one to restrict the application of
the corresponding constraint only to entries that match the base,
scope and filter portions of the LDAP URI. The base, if present,
must be within the naming context of the database. The scope is
only used when the base is present; it defaults to base. The
other parameters of the URI are not allowed.
Any attempt to add or modify an attribute named as part of the con-
straint overlay specification which does not fit the constraint listed
will fail with a LDAP_CONSTRAINT_VIOLATION error.
EXAMPLES
overlay constraint
constraint_attribute jpegPhoto size 131072
constraint_attribute userPassword count 3
constraint_attribute mail regex ^[[:alnum:]]+@mydomain.com$
constraint_attribute mail negregex ^[[:alnum:]]+@notallowed.com$
constraint_attribute title uri
ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
constraint_attribute cn,sn,givenName set
"(this/givenName + [ ] + this/sn) & this/cn"
restrict="ldap:///ou=People,dc=example,dc=com??sub?(objectClass=inetOrgPerson)"
A specification like the above would reject any mail attribute which did
not look like <alphanumeric string>@mydomain.com or that looks like <al-
phanumeric string>@notallowed.com. It would also reject any title at-
tribute whose values were not listed in the title attribute of any ti-
tleCatalog entries in the given scope. (Note that the "dc=catalog,dc=ex-
ample,dc=com" subtree ought to reside in a separate database, otherwise
the initial set of titleCatalog entries could not be populated while the
constraint is in effect.) Finally, it requires the values of the at-
tribute cn to be constructed by pairing values of the attributes sn and
givenName, separated by a space, but only for entries derived from the
objectClass inetOrgPerson.
FILES
/etc/ldap/slapd.conf
default slapd configuration file
SEE ALSO
slapd.conf(5), slapd-config(5),
ACKNOWLEDGEMENTS
This module was written in 2005 by Neil Dunbar of Hewlett-Packard and
subsequently extended by Howard Chu and Emmanuel Dreyfus. OpenLDAP
Software is developed and maintained by The OpenLDAP Project
<http://www.openldap.org/>. OpenLDAP Software is derived from the Uni-
versity of Michigan LDAP 3.3 Release.
OpenLDAP 2.6.10+dfsg-1 2025/05/22 SLAPO-CONSTRAINT(5)
Generated by dwww version 1.16 on Tue Dec 16 04:55:57 CET 2025.