On Mon, Mar 17, 2025 at 08:04:30AM +0000, Windl, Ulrich wrote:
but applying dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256}
fails with: modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed
Do I have to add olcFrontendConfig explicitly?
Hi Ulrich, yes, I did say that the attribute is allowed by *that* objectClass in particular.
My frontend has (from 2.4): dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig olcDatabase: {-1}frontend
In case this is no longer correct ,the upgrade guide for 24-to-2.5 should be updated.
It is not currently incorrect to create it as such but it won't allow you to configure important things like you just noticed. As such, it is documented as "required".
It has always (since at least 2007) been added automatically for you if you created one from slapd.conf and apart from one place in the Admin Guide (which I've just corrected), all documentation mentions you should be adding it if creating one manually. If you spot any other examples that don't, please report them and we can fix those too.
So whoever create the configuration must have either created it without reading said documentation or followed the (unfixed) admin guide and they will realise eventually. In the future, we might consider rejecting configurations without olcFrontendConfig, that's when we would note something in the upgrade documentation.
Regards,