Valentin's Lab » openldap

inconsistent duplicate attribute mailhost

vaab — Sun, 10 Apr 2011 22:08:04 +0000

Adding a new schema in LDAP can give you headache. I've the cure for this one:

Inconsistent duplicate attributeType: "mailHost"

This is due to a new misc.schema that is now default in Ubuntu Lucid at least (and maybe other distribution) and defines a mailhost attribute.

You'll encounter this error when trying to add another schema defining this same attribute. I have a mail.schema comming from Mandriva Directory Server, which tries to do so. And a small google reveals that qmail.schema has similar problem.

2 solutions:

Either remove the attribute from your new schema by deleting the attribute entry in the schema file and remove any reference to mailhost anywhere it appears in the file. I wouldn't recommend this.
Either remove the misc.schema from your ldap server. Cross fingers that it isn't used too much ;)

Et voilà !

Import / Export ldap database

vaab — Wed, 10 Mar 2010 08:22:52 +0000

Importing data to LDAP server didn't sound obvious for me, so here's how to import / export ldap database. This is usefull if you want to migrate your LDAP database from one server to another.

Export

Export seems quite easy and well-known:

# slapcat

This will dump (if run as root user) the complete ldap database information on stdout.

You can use this command to make backups of your OpenLDAP database, for example:

# slapcat | bzip2 > mybase.ldif.bz2

This solution is not optimum because of the existence of structural attributes in the slapcat dump.

Structural Attributes

slapcat output contains all the LDAP database including some structural information as values associated to attribute modifyTimestamp, createTimestamp, creatorsName (and so on ...). These are set automatically by the ldap subsystem when you add/modify info in the ldap database, and thus cannot be set directly. These are similar to meta information stored by filesystems for each files (user, group, permissions, date of creation ...).

Stripping structural attributes

Applying output of a slapcat output directly to ldapadd will issue this error message (as of openldap 2.4.15):

# cat mybase.ldif | ldapadd -D cn=admin,dc=example,dc=org -W
Enter LDAP Password:
adding new entry "dc=example,dc=org"
ldap_add: Constraint violation (19)
additional info: structuralObjectClass: no user modification allowed

This error message simply states that the attribute structuralObjectClass is not to be modified by any user (even administrator).

These structural information do not carry any information you've stored in the LDAP, so they can be stripped away without any second thought.

Here's how to create a dump stripped out from its structural information:

slapcat |
    egrep -v  "^(structuralObjectClass|entryUUID|creatorsName|modifiersName|createTimestamp|modifyTimestamp|entryCSN):" |
    bzip2 > mybase.ldif.bz2

Note: this egrep filter works because all stripped entries are one-liners.

Import

Once stripped, the import is quite simple:

# cat mybase.ldif | \
    ldapadd -D cn=admin,dc=example,dc=org -W

Deleting duplicates

If you have already some entries, you might end up with this error message when trying to import data with the previous command:

adding new entry "dc=example,dc=org"
ldap_add: Already exists (68)

You might want to overwrite all existing data with the imported values. You should probably think about removing all previous data with:

# ldapdelete -r -D cn=admin,dc=example,dc=org dc=example,dc=org -W

This should recursively (thanks to the -r option) delete all entries in dc=example,dc=org.

That's all you should need to know to import your ldap database.

How to add a schema in OpenLDAP 2.4

vaab — Sat, 06 Mar 2010 17:23:49 +0000

In version prior to 2.4, administrators were used to configure slapd through its /etc/ldap/slapd.conf. That was good ol' time.

Since version 2.4, slapd configuration is stored right in itself !. This may sound as a good idea, but is really unpractical: administrators needs to really master LDAP now to configure slapd: use ldapmodify/ldapsearch/ldapadd, or delve into some LDIF files. Also, simple tasks (as adding a schema definition to the server) are now quite tedious. Although the complete configuration is accessible as ldif files, I concider ldif file format as XML: it's way too verbose and tedious to read and be maintained by a human being. And above all, it's yet another language to master.

In last Ubuntu as of 2010-03-06, this change was not correctly reported in LDAP servers documentation. These are 2 bug reports on this issue: Bug #463684, Bug #442498. A quick glance to these bug reports will show you that this changement is a great source of distress for a lot of casual administrators (as I am).

The last documentation from Ubuntu has not explained the changes and is not that clear.

EDIT (2012-01-05): the last link have now some valuable information despite the fact that it seems not anymore maintained. I would rather hint towards the community help site page on OpenLDAP of ubuntu, which seems a natural and well documented point to get information.

What is the reason behind this change ?

First, openldap changed it's default way to store configuration files. The idea is simple: The configuration is stored in a SEPARATE ldap database identified by the prefix "cn=config". And you'll be able to declare separate databases with different credentials, or backend (bdb or hdb for instance).

With this new way of using the configuration, you can make changes to configuration without restarting slapd.

This thread post is quite clear on what is going at Ubuntu around OpenLDAP.

How to use the config database ?

The configuration database does not need any password for root system user on local connection. You can see its content with ldapsearch this way:

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

Note

if you are on ubuntu, ldapsearch is available in ldap-utils package.

This database contains roughly:

some basic slapd daemon configuration parameters (pid file, loglevel ...)
loaded schemas
and databases configuration

To make addition to this database you'll need to inject ldif files for example through ldapadd:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f file.ldif

Or, better, use tool like ldapvi

sudo ldapvi -h ldapi:/// -D cn=config -Y EXTERNAL -b cn=config

You'll need to make additions/modifications to this database to:

add new schemas
add new databases (and you'll require to create at least one database)
add indexes to databases
modify LogLevel
...

How to add a new schema ?

This is the common way to add a schema:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

How to add a new database ?

The following method will require that nis schema was loaded as it defines rule on the shadowLastChange attribute that is defined in this schema.

Then copy-paste this code into a ldif file /tmp/database.ldif:

# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: secret
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

You should change:

dc=example,dc=com with your own prefix
'secret' value of olcRootPW should be updated by your password.

EDIT (2012-01-05): You will have to remove the first part about loading the hdb module if you are in recent ubuntu installation, as it is already loaded, and will trigger a fatal error preventing the following ldapadd command to work as expected.

EDIT (2013-12-30): An existing database was created by ubuntu before installation and can spew very annoying error message and block slapcat. Unfortunately, you can't delete it with ldapvi. The best way I found was to stop slapd, then cd /etc/ldap/slapd.d/cn=config, remove olcDatabase={1}hdb.ldif file, and relaunch slapd. Please check that content of the file removed is the one mentionning nodomain.

Once you've created this file, you can add your new database with:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/database.ldif

You can then remove /tmp/database.ldif.

Notice that slapcat should work only after having configured a database. Without any database you'll get this error:

$ slapcat
Available database(s) do not allow slapcat

Because cn=config database doesn't allow slapcat and no other database has been configured.