[Issue 10369] New: Error when trying to modify the olcDbCheckpoint attr: 'olcMultiProvider' cannot have multiple values
https://bugs.openldap.org/show_bug.cgi?id=10369
Issue ID: 10369 Summary: Error when trying to modify the olcDbCheckpoint attr: 'olcMultiProvider' cannot have multiple values Product: OpenLDAP Version: 2.6.10 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: elecharny@apache.org Target Milestone: ---
When trying to modify the olcDbCheckpoint, I get an error on the olcMultiProvider attribute
Here are the logs I get:
juil. 17 13:03:32 openldap1 slapd[17224]: conn=1012 op=3 MOD dn="olcDatabase={3}mdb,cn=config" juil. 17 13:03:32 openldap1 slapd[17224]: conn=1012 op=3 MOD attr=olcDbCheckpoint juil. 17 13:03:32 openldap1 slapd[17224]: slap_get_csn: conn=1012 op=3 generated new csn=20250717130332.671384Z#000000#00b#000000 manage=1 juil. 17 13:03:32 openldap1 slapd[17224]: slap_queue_csn: queueing 0x7f02cc104b80 20250717130332.671384Z#000000#00b#000000 juil. 17 13:03:32 openldap1 slapd[17224]: Entry (olcDatabase={3}mdb,cn=config), attribute 'olcMultiProvider' cannot have multiple values juil. 17 13:03:32 openldap1 slapd[17224]: conn=1012 op=3 RESULT tag=103 err=19 qtime=0.000008 etime=0.000185 text=attribute 'olcMultiProvider' cannot > juil. 17 13:03:32 openldap1 slapd[17224]: slap_graduate_commit_csn: removing 0x7f02cc104b80 20250717130332.671384Z#000000#00b#000000 juil. 17 13:03:32 openldap1 slapd[17224]: conn=1012 op=4 UNBIND
Here is the content of the olcDatabase={3}mdb,cn=config entry:
"olcDatabase={3}mdb,cn=config", { "objectClass":[ "olcDatabaseConfig", "olcMdbConfig" ], "olcDatabase":"{3}mdb", "olcDbDirectory":"/usr/local/openldap/data/worteks/", "olcSuffix":[ "o=service,o=worteks" ], "olcAccess":[ "{0}to * by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn="uid=repl,ou=security,o=service,o=worteks" read by anonymous auth by * none break", "{1}to attrs=userPassword by * none", "{2}to dn.subtree="ou=security,o=service,o=worteks" by * none", "{3}to * by * none" ], "olcAddContentAcl":true, "olcLimits":[ "{0}dn="uid=repl,ou=security,o=service,o=worteks" size=unlimited time=unlimited", "{1}dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size=unlimited time=unlimited" ], "olcRootDN":"cn=admin,o=service,o=worteks", "olcRootPW":"secret", "olcSyncrepl":[ "{0}rid=012 provider=ldap://openldap1:10389 binddn="uid=repl,ou=security,o=service,o=worteks" bindmethod=simple credentials="secret" searchbase="o=service,o=worteks" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" type=refreshAndPersist retry="5 +" timeout=1 syncdata=accesslog", "{1}rid=011 provider=ldap://openldap2:10389 binddn="uid=repl,ou=security,o=service,o=worteks" bindmethod=simple credentials="secret" searchbase="o=service,o=worteks" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" type=refreshAndPersist retry="5 +" timeout=1 syncdata=accesslog" ], "olcMultiProvider":true, "olcDbCheckpoint":"1024 1", "olcDbNoSync":true, "olcDbIndex":[ "entryUUID eq", "objectClass eq", "entryCSN eq", "uid eq", "mailboxServiceIMAP eq", "mailboxServicePOP eq", "mailPrimaryAddress eq", "mailAlternativeAddress eq", "mailboxHiddenAlias eq" ], "olcDbMaxSize":137438953472 }
In this context, I'm trying to modify the incorrect olcDbCheckpoint value from '1024 1' to '0 1', and the olcMultiProvider has only one value.
https://bugs.openldap.org/show_bug.cgi?id=10369
--- Comment #1 from elecharny@apache.org --- As a matter of fact, when I try to delete the olcMultiProvider from the configuration, it does not get deleted, I have to delete it twice. However:
* If I delete it once, I can modify the olcDbCheckpoint value, but the OlcMultiProvider attribute is still present
* If I delete it twice, I can also modify the olcDbCheckpoint value.
It's pretty much as if there are 2 values for the olcMultiProvider attribute.
https://bugs.openldap.org/show_bug.cgi?id=10369
--- Comment #2 from elecharny@apache.org --- Ok, so basically the olcMultiProvider attribute is declared twice in the slapd.d/cn=config/olcDatabase={3}mdb.ldif file:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 faa42c6c dn: olcDatabase={3}mdb objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {3}mdb olcDbDirectory: /usr/local/openldap/data/worteks/ olcSuffix: o=service,o=worteks olcAccess: {0}to * by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=a uth" read by dn="uid=repl,ou=security,o=service,o=worteks" read by anonymous auth by * none break olcAccess: {1}to attrs=userPassword by * none olcAccess: {2}to dn.subtree="ou=security,o=service,o=worteks" by * none olcAccess: {3}to * by * none olcAddContentAcl: TRUE olcLimits: {0}dn="uid=repl,ou=security,o=service,o=worteks" size=unlimited tim e=unlimited olcLimits: {1}dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" siz e=unlimited time=unlimited olcRootDN: cn=admin,o=service,o=worteks olcRootPW:: c2VjcmV0 olcSyncrepl: {0}rid=012 provider=ldap://openldap1:10389 binddn="uid=repl,ou=se curity,o=service,o=worteks" bindmethod=simple credentials="secret" searchbase ="o=service,o=worteks" logbase="cn=accesslog" logfilter="(&(objectClass=audit WriteObject)(reqResult=0))" type=refreshAndPersist retry="5 +" timeout=1 sync data=accesslog olcSyncrepl: {1}rid=011 provider=ldap://openldap2:10389 binddn="uid=repl,ou=se curity,o=service,o=worteks" bindmethod=simple credentials="secret" searchbase ="o=service,o=worteks" logbase="cn=accesslog" logfilter="(&(objectClass=audit WriteObject)(reqResult=0))" type=refreshAndPersist retry="5 +" timeout=1 sync data=accesslog olcMultiProvider: TRUE <----------Here olcDbCheckpoint: 1024 1 olcDbNoSync: TRUE olcDbIndex: entryUUID eq olcDbIndex: objectClass eq olcDbIndex: entryCSN eq olcDbIndex: uid eq olcDbIndex: mailboxServiceIMAP eq olcDbIndex: mailboxServicePOP eq olcDbIndex: mailPrimaryAddress eq olcDbIndex: mailAlternativeAddress eq olcDbIndex: mailboxHiddenAlias eq olcDbMaxSize: 137438953472 olcMultiProvider: TRUE <----------And here again
So it's a config error, and the error message I get is normal. Still, the slapd.d config is read and applied as is, and the server starts, but it has internally loaded the value twice!
Still a bug, but the workaround is clear: don't mess with the original config...
https://bugs.openldap.org/show_bug.cgi?id=10369
--- Comment #3 from elecharny@apache.org --- Some more comment: The config is injected through a slapadd based on a flat config file:
dn: olcDatabase={3}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {3}mdb olcDbDirectory: /usr/local/openldap/data/worteks/ olcSuffix: o=service,o=worteks olcAccess: {0}to * by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn="uid=repl,ou=security,o=service,o=worteks" read by anony mous auth by * none break olcAccess: {1}to attrs=userPassword by * none olcAccess: {2}to dn.subtree="ou=security,o=service,o=worteks" by * none olcAccess: {3}to * by * none olcAddContentAcl: TRUE olcLimits: {0}dn="uid=repl,ou=security,o=service,o=worteks" size=unlimited time=unlimited olcLimits: {1}dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size=unlimited time=unlimited olcRootDN: cn=admin,o=service,o=worteks olcRootPW: secret olcMultiProvider: TRUE olcDbCheckpoint: 1024 1 olcDbNoSync: TRUE olcDbIndex: entryUUID eq olcDbIndex: objectClass eq olcDbIndex: entryCSN eq olcDbIndex: uid eq olcDbIndex: mailboxServiceIMAP eq olcDbIndex: mailboxServicePOP eq olcDbIndex: mailPrimaryAddress eq olcDbIndex: mailAlternativeAddress eq olcDbIndex: mailboxHiddenAlias eq olcDbMaxSize: 137438953472 olcMirrorMode: TRUE structuralObjectClass: olcMdbConfig entryUUID: fba8341e-d724-103f-8366-85552694bbcc creatorsName: cn=admin,cn=config createTimestamp: 20250606132204Z olcSyncrepl: {0}rid=012 provider=ldap://openldap1:10389 binddn="uid=repl,ou=security,o=service,o=worteks" bindmethod=simple credentials="secret" searc hbase="o=service,o=worteks" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" type=refreshAndPersist retry="5 +" timeo ut=1 syncdata=accesslog olcSyncrepl: {1}rid=011 provider=ldap://openldap2:10389 binddn="uid=repl,ou=security,o=service,o=worteks" bindmethod=simple credentials="secret" searc hbase="o=service,o=worteks" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" type=refreshAndPersist retry="5 +" timeo ut=1 syncdata=accesslog entryCSN: 20250606143335.493116Z#000000#00b#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20250606143335Z
As we can see, the MultiProvider attribute is present only once, so I suppose the injection of this entry generates the double olcMultiProvider value.
So I correct the previous comment: the original config was proper, injecting it with slapadd incorrectly injected the olcMultiProvider twice.
https://bugs.openldap.org/show_bug.cgi?id=10369
--- Comment #4 from Howard Chu hyc@openldap.org --- (In reply to elecharny from comment #3)
Some more comment: The config is injected through a slapadd based on a flat config file:
dn: olcDatabase={3}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {3}mdb olcDbDirectory: /usr/local/openldap/data/worteks/ olcSuffix: o=service,o=worteks olcAccess: {0}to * by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn="uid=repl,ou=security,o=service,o=worteks" read by anony mous auth by * none break olcAccess: {1}to attrs=userPassword by * none olcAccess: {2}to dn.subtree="ou=security,o=service,o=worteks" by * none olcAccess: {3}to * by * none olcAddContentAcl: TRUE olcLimits: {0}dn="uid=repl,ou=security,o=service,o=worteks" size=unlimited time=unlimited olcLimits: {1}dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size=unlimited time=unlimited olcRootDN: cn=admin,o=service,o=worteks olcRootPW: secret olcMultiProvider: TRUE olcDbCheckpoint: 1024 1 olcDbNoSync: TRUE olcDbIndex: entryUUID eq olcDbIndex: objectClass eq olcDbIndex: entryCSN eq olcDbIndex: uid eq olcDbIndex: mailboxServiceIMAP eq olcDbIndex: mailboxServicePOP eq olcDbIndex: mailPrimaryAddress eq olcDbIndex: mailAlternativeAddress eq olcDbIndex: mailboxHiddenAlias eq olcDbMaxSize: 137438953472 olcMirrorMode: TRUE structuralObjectClass: olcMdbConfig entryUUID: fba8341e-d724-103f-8366-85552694bbcc creatorsName: cn=admin,cn=config createTimestamp: 20250606132204Z olcSyncrepl: {0}rid=012 provider=ldap://openldap1:10389 binddn="uid=repl,ou=security,o=service,o=worteks" bindmethod=simple credentials="secret" searc hbase="o=service,o=worteks" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" type=refreshAndPersist retry="5 +" timeo ut=1 syncdata=accesslog olcSyncrepl: {1}rid=011 provider=ldap://openldap2:10389 binddn="uid=repl,ou=security,o=service,o=worteks" bindmethod=simple credentials="secret" searc hbase="o=service,o=worteks" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" type=refreshAndPersist retry="5 +" timeo ut=1 syncdata=accesslog entryCSN: 20250606143335.493116Z#000000#00b#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20250606143335Z
As we can see, the MultiProvider attribute is present only once, so I suppose the injection of this entry generates the double olcMultiProvider value.
So I correct the previous comment: the original config was proper, injecting it with slapadd incorrectly injected the olcMultiProvider twice.
No, the config is invalid.
slapadd should have rejected it. You have both olcMultiProvider and olcMirrorMode, which is just the old name of the olcMultiprovider attribute. It's still accepted as an alias. I think this means our checks for attribute uniqueness are fooled by using alternate names of attributes; that will have to be examined.
https://bugs.openldap.org/show_bug.cgi?id=10369
--- Comment #5 from elecharny@apache.org --- Ah, thanks Howard. That makes sense, and I'll fix my config.
I will change the issue title to reflect the real issue.
https://bugs.openldap.org/show_bug.cgi?id=10369
elecharny@apache.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Error when trying to modify |When a config contains both |the olcDbCheckpoint attr: |MultiProvider and |'olcMultiProvider' cannot |MirrorMode attributes, the |have multiple values |MultiProvider attribute | |contains 2 values after the | |config is loaded.
https://bugs.openldap.org/show_bug.cgi?id=10369
--- Comment #6 from Howard Chu hyc@openldap.org --- Tempted to make this a WONTFIX. The LDIF input has obviously been edited by hand, making it invalid for slapadd.
I've written a fix for this, but the error message from slapadd is:
../../../servers/slapd/slapd -Ta -F slapd.d -n0 -l cfg1.ldif Entry (olcDatabase={1}mdb,cn=config), attribute 'olcMultiProvider' cannot have multiple values slapadd: dn="olcDatabase={1}mdb,cn=config" (line=1737): (19) attribute 'olcMultiProvider' cannot have multiple values Closing DB...
Which would be misleading because the input uses olcMirrorMode. There's no obvious way to show that the two values come from an alternate attribute name, and the alternate name is actually gone by the time we detect the schema violation.
https://bugs.openldap.org/show_bug.cgi?id=10369
--- Comment #7 from Howard Chu hyc@openldap.org --- (Remember that slapadd is only valid for known good inputs generated by slapcat. Use of hand-edited LDIF, as was obviously used here, is unsupported and you're on your own.)
https://bugs.openldap.org/show_bug.cgi?id=10369
--- Comment #8 from elecharny@apache.org --- The config is not a human generated Ldif. It’s a old config file converted to slapd.d I can’t check how it gets generated now (in my car), but will provide the info.
I understand how that can be a burden to fix as you want to keep a compatibility with pre 2.4 config format, so keeping both MirrorMode and MultiProvider attributes. The main issue is having both in the same config, and I tend to think that if it’s the case, then mirror mode should simply be ignored when processing the config in slapd (but kept as a visible attribute): - if mirrorMode *or* multiProvider are present, then they are treated as is. - if *both* are present, then multiProvider should be the only one used to configure slapd, mirror mode being ignored.
In any case, it’s far from being critical, and a simple warning while processing the config should do the trick (plus maybe a mention in the slapd man page explaining that mirrorMode is obsolete.
From my PoV, now that I understand what’s going on, I’m fine with whatever choice is made, as soon as the issue has been tracked for everyone having the same pb in the future (assuming they check the bug tracker).
https://bugs.openldap.org/show_bug.cgi?id=10369
--- Comment #9 from elecharny@apache.org --- My bad, it was a copy of a slapd.d files, most certainly converted from a slapd.conf, but it was provided as is, I have no idea how the conversion was done. It's very likely the slapd.conf contained both attribute, converted by a slaptest.
https://bugs.openldap.org/show_bug.cgi?id=10369
--- Comment #10 from Howard Chu hyc@openldap.org --- (In reply to elecharny from comment #9)
My bad, it was a copy of a slapd.d files, most certainly converted from a slapd.conf, but it was provided as is, I have no idea how the conversion was done. It's very likely the slapd.conf contained both attribute, converted by a slaptest.
No. Internally the flag is only stored once, so even if it appeared twice in slapd.conf the conversion would only emit a single attribute.
Also, slapd would never emit both versions of the attribute name. Older releases only know the old name. Newer releases only use the new name. The only way for both attributes to have gotten into the LDIF is for someone to have manually edited the LDIF and put the 2nd one there. Thus, not our bug.
https://bugs.openldap.org/show_bug.cgi?id=10369
--- Comment #11 from elecharny@apache.org --- Ok, but still: the ldif contains both attributes, and get processed by the slapadd, resulting with the olcMultiProvider being considered as multi valued. You can delete it once, it's still present, but with one value only and all is good. If you don't delete it once, then you can't modify the database config because olcMultiProvider is seen as multivalued.
So beside the injected config being obviously wrong, there is something weird being done by the server.
I can live with it, no big deal, as I said it's documented in this issue, so "get your injected config fixed", and basta.
-
openldap-its@openldap.org