After upgrading from 2.4.x, x<43, to 2.4.43, with a typical configuration, slapd would report errors, and not return data: Dec 30 16:16:42 buchan-laptop.ranger.dnsalias.com ldap-config[14389]: Checking config dir /etc/openldap/slapd.d/: [FAILED] Dec 30 16:16:42 buchan-laptop.ranger.dnsalias.com ldap-config[14389]: 5683e74a config error processing cn=ppolicy,cn=schema,cn=config,cn=schema,cn=config: Dec 30 16:16:42 buchan-laptop.ranger.dnsalias.com ldap-config[14389]: 5683e74a send_ldap_result: err=32 matched="" text="" Dec 30 16:16:42 buchan-laptop.ranger.dnsalias.com ldap-config[14389]: slaptest: bad configuration directory! Dec 30 16:16:42 buchan-laptop.ranger.dnsalias.com slapd[14411]: config error processing cn=ppolicy,cn=schema,cn=config,cn=schema,cn=config: Dec 30 16:16:42 buchan-laptop.ranger.dnsalias.com slapd[14419]: slapd starting [root@buchan-laptop ~]# ldapsearch 2>/dev/null|tail -n3 result: 32 No such object # numResponses: 1 [root@buchan-laptop ~]# Searching for the error yields among others: http://www.openldap.org/its/index.cgi/Incoming?id=8326;selectid=8326 In order to address this, I had to: [root@buchan-laptop ~]# slapcat -n0 -l /tmp/slapd-config.ldif 5683e79d config error processing cn=ppolicy,cn=schema,cn=config,cn=schema,cn=config: [root@buchan-laptop ~]# rm -Rf /etc/openldap/slapd.d/* [root@buchan-laptop ~]# slapadd -c -F /etc/openldap/slapd.d -n0 -l /tmp/slapd-config.ldif slapadd: could not add entry dn="cn=ppolicy,cn=schema,cn=config,cn=schema,cn=config" (line=2476): 5683e917 User Schema load failed for attribute "pwdAttribute". Error code 17: attribute type undefined slapadd: could not add entry dn="olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=config" (line=3588): _#################### 100.00% eta none elapsed none fast! Closing DB... [root@buchan-laptop ~]# slapadd -c -F /etc/openldap/slapd.d -n0 -l /usr/share/openldap/schema/ppolicy.ldif _#################### 100.00% eta none elapsed none fast! Closing DB... [root@buchan-laptop ~]# chown -R ldap:ldap /etc/openldap/slapd.d [root@buchan-laptop ~]# systemctl start slapd That fixed it: [root@buchan-laptop ~]# ldapsearch 2>/dev/null|tail -n3 # numResponses: 229 # numEntries: 228 [root@buchan-laptop ~]# For users using cn=config, we probably need to see if we can fix this on upgrades, or at least cover it in release notes. Users using slapd.conf should not be affected (as they should be using the provided ppolicy.schema).
(In reply to Buchan Milne from comment #0) > After upgrading from 2.4.x, x<43, to 2.4.43, with a typical configuration, > slapd would report errors, and not return data: > Assigning to you, since you're the maintainer, but also CC'ing some others who've touched openldap and might want to help with openldap-2.4.43
CC: (none) => jani.valimaa, luigiwalser, mageia, mageia, marja11Assignee: bugsquad => bgmilneSource RPM: (none) => openldap
How were you even able to test this? 2.4.43 doesn't build.
CC: jani.valimaa => (none)
The original summary was: "OpenLDAP upgrade from 2.4.42 to 2.43 (Mageia 5 to cauldron or Mageia 6): config error processing cn=ppolicy,cn=schema,cn=config,cn=schema,cn=config" However, due to the last comment on the ITS referenced above, I am changing it to: OpenLDAP upgrades using cn=config/back-config need to update schemas before becoming the default (over slapd.conf) We should address this, or ensure it is addressed permanently upstream, before switching to cn=config/back-config by default. (We do, as a mitigation, export the config using slapcat in %pre, but importing it in %post may not be desirable or sufficient)
Status: NEW => ASSIGNEDSummary: OpenLDAP upgrade from 2.4.42 to 2.43 (Mageia 5 to cauldron or Mageia 6): config error processing cn=ppolicy,cn=schema,cn=config,cn=schema,cn=config => OpenLDAP upgrades using cn=config/back-config need to update schemas before becoming the default (over slapd.conf)