Howard and Quanah,

I think I understand what you have said me, but I am not still understanding what the reason to my ldif doesn't work. Thankfully my environment is a test environment. I have other test environment that has a difference between the first: I modified the first environment database to mdb database while the second is default installation where database is hdb (default).

In the second environment, I can modify olcTLSCertificateFile, olcTLSCertificateKeyFile and olcTLSCACertificateFile normally.
For modify the first environment:
  1. I stopped sladp service;
  2. I got olc configurations from slapcat -n 0 command like: slapcat -n 0 >> config.ldif;
  3. I added olcModuleLoad back_mdb on dn: cn=module{0},cn=config (I verified the olcModulePath and /usr/lib64;
  4. I modified on dn: olcDatabase={2}hdb,cn=config the following attributes:
    • dn: olcDatabase={2}hdb,cn=config to dn: olcDatabase={2}mdb,cn=config
    • objectClass: olcHdbConfig to objectClass: olcMdbConfig
    • olcDatabase: {2}hdb to olcDatabase: {2}mdb
    • structuralObjectClass: olcHdbConfig to structuralObjectClass: olcMdbConfig
    • And finally, I ran this two command:
      • cat config.ldif | slapadd -v -F /etc/openldap/slapd.d -n 0
      • chown -R /etc/openldap/slapd.d (to solve owner problem after run this command as root)
OBS:  I've mounted environment on CentOS 7, added symas' repository and install from yum.

Is possible I have done something wrong in convert process?

Igor Sousa

Em qui, 11 de jul de 2019 às 22:56, Howard Chu <> escreveu:
Quanah Gibson-Mount wrote:
> --On Thursday, July 11, 2019 5:29 PM -0300 Igor Sousa <> wrote:
>> I've tested your suggestion and delete operation has worked fine, but
>> I've still had the same problem described previously when I've tried add
>> new olcTLSCertificateFile or new olcTLSCertificateKeyFile or new
>> olcTLSCACertificateFile. I don't understand the reason for that.
>>> You're likely hitting ITS#8286  with the replace operations.  Another
> idea may be to change replace to a delete+add in the same operation sequence.
> <>
> The details in the ITS aren't as flushed out as they probably should be, but if a configuration element is missing an EQUALITY matching rule, then you generally
> cannot use a replace OP on them.

That's not correct. A replace op always works. It is only [Delete/Add] value that requires an equality rule.

  -- Howard Chu
  CTO, Symas Corp. 
  Director, Highland Sun
  Chief Architect, OpenLDAP