Hi Quanah,

I am not sure how slapo-unique works. I am struggling with the syntax. How can I check current config concerning it?

Thanks and regards, Sandro

-----Original Message----- From: Quanah Gibson-Mount quanah@fast-mail.org Sent: Wednesday, February 28, 2024 6:27 PM To: CALDEIRA JAVIEL Sandro sandro.caldeirajaviel@urbanandmainlines.com; openldap-technical@openldap.org Subject: Re: Disable uniqueness for mail Attribute

[You don't often get email from quanah@fast-mail.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

--On Wednesday, February 28, 2024 7:34 AM +0000 CALDEIRA JAVIEL Sandro sandro.caldeirajaviel@urbanandmainlines.com wrote:

Hi,

I have a legacy ldap instance (openlda-2.4) which has in the same redundant user info containing mail attribute among others (objectclass: inetOrgPerson) in 2 different ous (objectclass: organizationalUnit). I know it is a bad design for ldap users structure but I am not allowed to change it in a short time. When I tried to migrate this ldap database to openldap 2.6 I realize this is not possible anymore. I identified it is just related to mail attribute because if I omit mail attribute or use a different value for mail, then all data is imported

properly.

Do you use the slapo-unique overlay?

The only uniqueness requirement on mail out of the box is that for any specific entry, the mail value must be unique. There is no requirement *across* subtrees that it be unique unless the configuration loads and uses slapo-unique to do this.

If you have duplicate values for 'mail' within a given entry, then you need to fix that.

--Quanah

Hi Quanah,

I am running openldap from bitnami docker - https://github.com/bitnami/containers/tree/main/bitnami/openldap/2.6/debian- 12

So there is not slapd.conf: $ slapcat -n 0 could not stat config file "/opt/bitnami/openldap/etc/openldap/slapd.conf": No such file or directory (2) slapcat: bad configuration file!

Nevertheless, I ran this search:

ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b cn=config > /bitnami/openldap/data/config

And tried to find the related config:

$ grep -i unique config r uniquely identifying a user in an administrative domain' EQUALITY integerMa r uniquely identifying a group in an administrative domain' EQUALITY integerM olcAttributeTypes: {38}( 2.5.4.45 NAME 'x500UniqueIdentifier' DESC 'RFC2256: X .500 unique identifier' EQUALITY bitStringMatch SYNTAX 1.3.6.1.4.1.1466.115.1 olcAttributeTypes: {42}( 2.5.4.50 NAME 'uniqueMember' DESC 'RFC2256: unique me mber of a group' EQUALITY uniqueMemberMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 olcObjectClasses: {15}( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a gr oup of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( uni ESC 'RFC1274: unique identifier of document' EQUALITY caseIgnoreMatch SUBSTR olcAttributeTypes: {28}( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier' DE SC 'RFC1274: unique identifer' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.14 $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ pre

$ grep -I overlay config olcObjectIdentifier: olmOverlayAttributes olmSubSystemAttributes:2 olcObjectIdentifier: olmOverlayObjectClasses olmSubSystemObjectClasses:2 olcObjectIdentifier: olmSyncReplAttributes olmOverlayAttributes:1 olcObjectIdentifier: olmSyncReplObjectClasses olmOverlayObjectClasses:1 olcAttributeTypes: ( OLcfgGlAt:34 NAME 'olcOverlay' SUP olcDatabase SINGLE-VAL olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.11 NAME 'monitorOverlay' DESC ' name of overlays defined for a given database' SUP monitoredInfo NO-USER-MODI olcObjectClasses: ( OLcfgGlOc:5 NAME 'olcOverlayConfig' DESC 'OpenLDAP Overlay -specific options' SUP olcConfig STRUCTURAL MUST olcOverlay MAY olcDisabled ) abeledURI $ monitoredInfo $ managedInfo $ monitorOverlay ) ) ider configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcSpCheckpoint $ o dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig olcOverlay: {0}syncprov

So it seems I have nothing in my config for unique. The only olcOverlay in use in for syncprov.

Another point: Inside container I have some modules in folder /opt/bitnami/openldap/lib/openldap

Among several libs, unique and syncprov:

lrwxrwxrwx 1 root root 17 Aug 18 2023 unique.so -> unique.so.2.0.200 lrwxrwxrwx 1 root root 17 Aug 18 2023 unique.so.2 -> unique.so.2.0.200 -rwxr-xr-x 1 root root 39424 Aug 18 2023 unique.so.2.0.200 lrwxrwxrwx 1 root root 19 Aug 18 2023 syncprov.so -> syncprov.so.2.0.200 lrwxrwxrwx 1 root root 19 Aug 18 2023 syncprov.so.2 -> syncprov.so.2.0.200 -rwxr-xr-x 1 root root 92736 Aug 18 2023 syncprov.so.2.0.200

From compose file I enable syncprov for replication environment: - LDAP_ENABLE_SYNCPROV=yes

And I can see the files to enable syncprov: $ cat /opt/bitnami/openldap/share/syncprov_create_overlay_configuration.ldif dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpCheckpoint: 100 10 olcSpSessionLog: 100

-----Original Message----- From: Quanah Gibson-Mount quanah@fast-mail.org Sent: Thursday, February 29, 2024 5:33 PM To: CALDEIRA JAVIEL Sandro sandro.caldeirajaviel@urbanandmainlines.com; openldap-technical@openldap.org Subject: RE: Disable uniqueness for mail Attribute

[You don't often get email from quanah@fast-mail.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

--On Thursday, February 29, 2024 1:35 PM +0000 CALDEIRA JAVIEL Sandro sandro.caldeirajaviel@urbanandmainlines.com wrote:

Hi Quanah,

I am not sure how slapo-unique works. I am struggling with the syntax. How can I check current config concerning it?

Does your configuration even use slapo-unique? That's the first question you need to answer. Assuming you are using cn=config, you can use slapcat -n 0 -l /tmp/config.ldif to export your full configuration and examine it to see if it uses the unique overlay at all.

--Quanah

Hi Quanah,

Since it has side effects in customer side is there any workaround I could add to ignore this validation?

KR Sandro

-----Original Message----- From: Quanah Gibson-Mount quanah@fast-mail.org Sent: Thursday, February 29, 2024 11:56 PM To: CALDEIRA JAVIEL Sandro sandro.caldeirajaviel@urbanandmainlines.com; openldap-technical@openldap.org Subject: RE: Disable uniqueness for mail Attribute

[You don't often get email from quanah@fast-mail.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

--On Thursday, February 29, 2024 8:11 PM +0000 CALDEIRA JAVIEL Sandro sandro.caldeirajaviel@urbanandmainlines.com wrote:

Hi Quanah,

I am running openldap from bitnami docker - https://github.com/bitnami/containers/tree/main/bitnami/openldap/2.6/d ebi an- 12

So there is not slapd.conf: $ slapcat -n 0 could not stat config file "/opt/bitnami/openldap/etc/openldap/slapd.conf": No such file or directory (2) slapcat: bad configuration file!

So clearly not using slapd.conf. I realize you do have to specify -F /path/to/slapd/config for the slapcat to work.

But since you searched the config and there's no slapo-unique loaded, you're not using it. This would imply that your database has bad data in it, where there are duplicate values for the "mail" attribute IN a single entry like:

uid=joe,ou=whatever,dc=example,dc=org ... mail: joe@example.com mail: joe@Example.com

Would count as duplicates, for example. Most likely validation checks during slapadd were improved between 2.4 and 2.6, so those errors are now being caught. You'll need to clean your database to be correct.

--Quanah

Hi Geert,

You are right. phpldapadmin was blocking this import. I ran manually ldapadd and it worked.

Thanks a lot @Geert Hendrickx and @Quanah Gibson-Mount for your tips and analysis.

KR Sandro

-----Original Message----- From: Geert Hendrickx geert@hendrickx.be Sent: Friday, March 1, 2024 9:28 AM To: Quanah Gibson-Mount quanah@fast-mail.org Cc: CALDEIRA JAVIEL Sandro sandro.caldeirajaviel@urbanandmainlines.com; openldap-technical@openldap.org Subject: Re: Disable uniqueness for mail Attribute

[You don't often get email from geert@hendrickx.be. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

On Thu, Feb 29, 2024 at 14:55:57 -0800, Quanah Gibson-Mount wrote:

But since you searched the config and there's no slapo-unique loaded, you're not using it. This would imply that your database has bad data in it, where there are duplicate values for the "mail" attribute IN a single entry like:

Could that error just be a client-side check performed by phpldapadmin?

The wording "value would not be unique" is not an OpenLDAP server error.

On Wed, Feb 28, 2024 at 07:34:59 +0000, CALDEIRA JAVIEL Sandro wrote:

Error from phpldapadmin:

Attribute value would not be unique This update has been or will be cancelled, it would result in an attribute value not being unique. You might like to search the LDAP server for the offending entry. (Search) warn LDIF text import Could not add object cn=*****,ou=Users,ou=TRG01,dc=***,dc=*****,dc=** LDAP said: Success Error number: 0x00 (LDAP_SUCCESS) Description: The operation completed successfully.

Geert