The OpenLDAP referential integrity overlay is used to keep attributes that refer to the DNs of other entries consistent when changes occur. If you are trying to make groups more manageable, consider using the memberOf overlay.
The referential integrity overlay will automatically modify or remove attributes if the entry they refer to is renamed or deleted. Suppose you have the overlay configured to update the manager attribute and you have the following two entries:
dn: uid=eve,ou=users,dc=tylersguides,dc=com
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: Eve
sn: Eavesdropper
uid: eve
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/eve
loginShell: /bin/sh
gecos: Eve Eavesdropper
dn: uid=mallory,ou=users,dc=tylersguides,dc=com
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: Mallory
sn: Malicious
uid: eve
uidNumber: 5001
gidNumber: 5000
homeDirectory: /home/mallory
loginShell: /bin/sh
gecos: Mallory Malicious
manager: uid=eve,ou=users,dc=tylersguides,dc=com
If you were to delete uid=eve,ou=users,dc=tylersguides,dc=com, the manager attribute of uid=mallory,ou=users,dc=tylersguides,dc=com would be removed by the overlay. If you were to rename it instead of delete it, the overlay would update the manager attribute with the new name.
Load the Module
Depending on your installation, you may need to load a module.
See if you have any modules already loaded:
[root@ldap openldap]# slapcat -n 0 | grep olcModuleLoad
olcModuleLoad: {0}back_mdb.la
olcModuleLoad: {1}pw-sha2.la
[root@ldap openldap]# If you have any output from the command above, use ldapmodify to load the module:
[root@ldap ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: refint.la
modifying entry "cn=module{0},cn=config"Otherwise, use ldapadd. Replace the highlighted portion with what is relevant to your environment. If you aren’t sure where your modules are located, consult the table below.
[root@ldap ~]# ldapadd -Y EXTERNAL -Q -H ldapi:///
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: /opt/openldap-current/libexec/openldap
olcModuleLoad: refint.la
adding new entry "cn=module,cn=config"| OS | PATH |
|---|---|
| CentOS 7 | /usr/lib64/openldap |
| openSUSE | /usr/lib64/openldap |
| Debian (Stretch) | /usr/lib/ldap |
| Source (Default) | /usr/local/libexec/openldap |
| Source (Tyler’s Guides) | /opt/openldap-current/libexec/openldap |
Configure the Overlay
Add entries to your configuration directory for each backend you wish to apply the overlay to. Again, replace the highlighted portions with what is relevant to your environment.
[root@centos7 ~]# ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=refint,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
olcOverlay: refint
olcRefintAttribute: manager secretary
olcRefintNothing: cn=configThe table below explains the options available with the referential integrity overlay. All of the attributes are optional, but the overlay won’t do anything if you don’t at least define olcRefintAttribute.
| Attribute | Description |
|---|---|
| olcRefintAttribute | The attribute(s) the overlay will apply to. The attribute must contain a distinguished name. There is no default. |
| olcRefintNothing | This is used to prevent class violations. It should be set to the DN of an entry you wish to use as a place holder if the overlay removes the last value of a required attribute. There is no default. |
| olcRefintModifiersName | When the overlay changes an entry, this is the DN you wish to use as the modifiersName attribute. The default is cn=Referential Integrity Overlay. |