RE: [EXTERNAL] Incosistent config after schema modification

[Jon C Kidder <jckidder@aep.com>]

To replace individual values of a multi-valued attribute you must explicitly delete the old value and then add the new one in the same transaction.  You cannot use a replace operation to replace individual values of a multi-valued attribute.  The replace operation removes all pre-existing values.  After loading your ldif your custom schema will only contain the 3 attributes included in your ldif.   All of your other custom attributes will be gone.
  
At this point you will need to create and load a new ldif that will add all of the missing attribute definitions.  When I modify a custom schema I use the replace operation but my ldif contains all of the object class and attribute type definitions related to that schema.  This way the schema can be maintained as a versioned artifact in my version control system.
  
JON C KIDDER | MIDDLEWARE ADMINISTRATOR LEAD
JCKIDDER@AEP.COM | D:614.716.4970
1 RIVERSIDE PLAZA, COLUMBUS, OH 43215
-----Original Message-----
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Ervin Hegedüs
Sent: Wednesday, January 10, 2018 10:17 AM
To: openldap-technical@openldap.org
Subject: [EXTERNAL] Incosistent config after schema modification

This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments. If suspicious please forward to incidents@aep.com for review.

**********************************************************************
Hi there,

here are a 3 member multimaster config with OpenLDAP 2.4.44 (Debian 9.3).

We need a custom schema, so I've made that - everithing has worked as well, but the customer said he needs to modify some attribute type in the new custom schema.

I've made an ldif:

dn: cn={5}cppm,cn=schema,cn=config
changetype: modify
replace: olcAttributeTypes
olcAttributeTypes: {0}( cppmAttrs:1 NAME 'cppmCreateTime' DESC 'Create time'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{20} SINGLE-VALUE )
olcAttributeTypes: {5}( cppmAttrs:6 NAME 'cppmExpireTime' DESC 'Expire time'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{20} SINGLE-VALUE )
olcAttributeTypes: {7}( cppmAttrs:8 NAME 'cppmActivationTime' DESC 'Activati  on time' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{20} SINGLE-VALUE )

# ldapmodify -Y EXTERNAL -H ldapi:/// -f mod1.ldif SASL/EXTERNAL authentication started SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn={5}cppm,cn=schema,cn=config"

Then I'ld liked to add this new objectclass to a member of tree, but I got an error:

"cppmDomainName: attribute type undefined"

but - of corse - I've added this attribute to the original schema.

So, I'ld like to backup the config database, but the slapcat
said:

# slapcat -b cn=config
5a562aa7 olcObjectClasses: value #0 olcObjectClasses: AttributeType not found: "cppmVisitorCompany"
5a562aa7 config error processing cn={5}cppm,cn=schema,cn=config: olcObjectClasses: AttributeType not found: "cppmVisitorCompany"
slapcat: bad configuration file!


What's happenned? What em'I wrong? And what should I do now?


Thanks,


a.