Administration Guide › Manage Directory Data › Referential Integrity

Referential Integrity

A directory entry has referential integrity if all DNs in the entry are valid, that is, point to other, existing, entries.

CA Directory provides a way to help enforce referential integrity. You can ensure that when an entry is deleted, all existing references to that entry are also deleted. This method is called direct referential integrity, and is equivalent to the cascade delete rule for databases. It helps keep the directory clear of dangling references, that is, references that point nowhere.

You can also ensure that when an entry is deleted, attributes in other entries that use a common value (rather than a DN) to identify the deleted entry are also deleted. This is called indirect referential integrity, and is useful if the directory uses non-DN attribute values to link different entries.

You enable referential integrity by creating one or more referential integrity rules in a DSA. A referential integrity rule specifies:

• The subtree of entries that triggers this referential integrity rule
• The subtree of entries in which the DSA searches for attributes that have references (direct or indirect) to the deleted entry
• The names of the attributes in which the DSA searches for references (direct or indirect) to the deleted entry

The referential integrity search begins only after the DSA has deleted the specified entry, so after an entry is deleted, there is a short time during which an entry containing a dangling reference is available to a user. Therefore, the CA Directory implementation does not guarantee referential integrity.

The CA Directory implementation of referential integrity is designed to be a tool that is used as required. It does not itself enforce referential integrity in all cases. The following constraints apply:

• There are no checks for referential integrity when an entry is created or changed.
• The DSA searches only those attribute names that are specified in the referential integrity rule, and furthermore, searches only within the subtree that is specified in the rule, so dangling references can still exist in other attributes or other subtrees.

Example: Direct Referential Integrity

Assume a directory contains an entry (for example, Sales) that has a Member attribute, where Member contains user DNs.

A direct referential integrity rule can ensure that when a user entry is deleted, the DSA automatically deletes that user's DN from the value of the Member attribute in Sales.

Example: Indirect Referential Integrity

Assume that each user contains an attribute UserID, and also that Sales has a UserID attribute, where UserID contains userIDs. This is similar to the previous example, with the difference that here, UserID contains userIDs instead of user DNs.

An indirect referential integrity rule can ensure that when a user entry is deleted, the DSA automatically deletes that user's ID from the value of the UserID attribute in Sales.

More information:

Alias Integrity

set referential-integrity Command