Unique Attribute Values

Sometimes you need the attribute value in an entry to be unique. For example, for email to work each user needs a unique email ID.
Sometimes you need the attribute value in an entry to be unique. For example, for email to work each user needs a unique email ID.
You can specify which attributes must have unique values, and you can also specify a subtree within which the specified attribute must have unique values. You can specify different subtrees for different attributes.
If you implement unique attributes, ensure the client applications can handle refusals when they add or modify attribute values that already exist.
How Unique Attribute Values Work
When a client application tries to update an attribute that is set to be unique, CA Directory checks that the attribute value is not already used.
If the value is used, an error message is sent back to the client application; otherwise the client request is confirmed.
Uniqueness Checks and Access Controls
Be careful when using unique attribute values for sensitive data.
When a DSA searches entries to determine if an attribute value is unique, the search bypasses access controls. This means that a user could write a client application to determine the unique values. If these are sensitive information, this may be a security issue.
If the scope of the subtree covers more than one DSA, the first DSA (DSA-A) sends the search to another DSA (DSA-B). DSA-B obeys access controls unless DSA-A has set the trust flag trust-DSA-triggered-operations. To allow DSA-B to bypass access controls, set this flag in the DSA-A knowledge and ensure that DSA-B shares DSA-A's knowledge.
Limitation Uniqueness Is Not Enforced in Pre-existing Data
We recommend that you enable unique attributes only on empty directories or new attributes. This ensures uniqueness.
There is no DSA mechanism to find duplicates in existing directory data. Before you enable unique attributes on a running directory, you should check for duplicate attribute values.
If you load data using the DXloaddb tool, uniqueness is not enforced.
Check for Attribute Value Uniqueness in a Subtree
You can extend checks for unique attributes to apply to all DSAs in an entire directory backbone.
Checks for uniqueness apply to any number of DSAs in a backbone as long as they are under the specified uniqueness subtree.
Attribute value uniqueness cannot be guaranteed in a distributed environment, because multiple DSAs can be updated at the same time. However this is a slim window.
To check for attribute value uniqueness in a subtree
  1. (Optional) Define the subtree within which the attributes must be unique using the following command:
    set unique-attrs-subtree = DN;
  2. Define the unique attributes using the following command:
    set unique-attrs = attribute [subtree = DN] [,attribute [subtree = DN]] [...] ;
    This command lets you specify which subtree each attribute should be unique within, but this is optional.
    If you do not set these subtrees here or in the
    set unique-attrs-subtree
    command, attributes are unique within the local prefix.
  3. (Optional) Set the trust flag Trust-DSA-triggered operations in the knowledge of the DSA. Then, if the search extends to another DSA, this other DSA bypasses access controls when it performs uniqueness checking.
List the Unique Attributes in a DSA
To list the unique attributes in a DSA
  1. Use Telnet to connect to the DSA that contains the unique attributes.
  2. Enter the following command:
    get user;
    The output lists the DSA's configuration, including any unique attributes.