I'm having trouble modifying the schema of an OpenLDAP installation using the run-time configuration (cn=config). What I'm trying to do is modify existing attributes and add new ones to a custom schema. The error I'm getting when I try to apply the changes is "no such object" or "no such value." When using the JXplorer browser, the error is:
javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'cn={15}mySchema,cn=schema,cn=config'
Using ldapmodify on an ldif file from the command line throws the same error:
ldapmodify -h ldap://localhost/cn=config -x -p 389 -D cn=admin,cn=config -W -f modify.ldif
modifying entry "cn={15}mySchema,cn=schema,cn=config"
ldap_modify: No such object (32)
What's odd, though, is that even though this error occurs, the changes are committed for the current instance of the slapd service. E.g., if I added new attributes and modified an object to include those attributes, then those attributes are available in the entries that use that object. I can proceed as if the changes worked. If the slapd service is restarted, however, the changes are reverted.
If I remove the leading {15} of the DN in the ldif file, or the similar prefix on the attribute value, I get the same error (though probably for a different reason):
modifying entry "cn=mySchema,cn=schema,cn=config"
ldap_modify: No such object (32)
matched DN: cn=schema,cn=config
What's more, I can modify the other entries of cn=config (e.g., olcDatabase={-1}frontend,cn=config) without issue, and changes persist across service restarts. It is only when I try to modify the entries under cn=schema,cn=config that the error occurs.
The server is running CentOS 6.2, 64-bit, using OpenLDAP 2.4.23, which was installed via yum. I've tried multiple browsers (JXplorer, Softerra LDAP Administrator), as well as the command line, all with the same results. The owner/group of the slapd.d directory is ldap/ldap, and there is no change even when the permissions of the schema files are modified to 777. Using TLS over port 636 (either browser or command line) also has no effect.
Can anyone shed some light on this and explain what could be preventing me from modifying the schema through cn=config?
EDIT: Here is the contents of modify.ldif:
dn: cn={15}mySchema,cn=schema,cn=config
changetype: modify
add: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.00000.2.3.14 NAME 'myTest' DESC 'This is only a test' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
We are using our company PEN in place of 00000, and no other attribute is using that OID. I found that adding a numerical prefix to the attribute value doesn't make a difference, but the prefix is necessary for the DN; without it, the error means what it says and the directory is not modified.
Best Answer
If there are other
olcAttributeTypesin the entry then you have to do areplacenotaddand list all the other attributes already in LDAP.Try to use
ldapvifor editing, it will do it automatically.EDIT: If that doesn't work, then you'll need to stop
slapdand edit files in/etc/ldap/slap.d/manually. That certainly isn't a solution when the changes are relatively often...Editing schema in
cn=configis a new feature, you may have found a bug (possibly already fixed in newest version). Check OpenLDAP ChangeLog and try using newest version.