ppolicy related migration issues - openldap-technical

12 Apr 2022


      Hello
I am having issues migrating my configdb from
2.4.57 to 2.6.1. The issue being the ppolicy schema, that upon
import claims a duplicate attribute type, that I cannot track down. 
A recursive grep does not reveal the attribute oid anywhere as duplicate.
This happens with a 2.6.0 instance on alpine as well as with 2.6.1 on
arch. 
In addidtion, I can happily import that configdb.ldif into
another 2.4.x openldap instance, so I doubt it is corrupt. Coming from
a working instance anyway.
So I assume, I might have missed some reading, but my search skills did
not produce any results. 
Removing the ppolicy schema part from the config_db.ldif makes the
import finish errorfree, but well, but later it is being used.
Here is the output of my trying, the oid in question is the
"pwdAttribute", but removing just that makes just the next attribute
fail.
# slapadd -n0 -F /etc/openldap/slapd.d/ -v -l config_db.ldif 
added: "cn=config" (00000001)
added: "cn=module{0},cn=config" (00000001)
added: "cn=schema,cn=config" (00000001)
added: "cn={0}core,cn=schema,cn=config" (00000001)
added: "cn={1}cosine,cn=schema,cn=config" (00000001)
added: "cn={2}dyngroup,cn=schema,cn=config" (00000001)
added: "cn={3}inetorgperson,cn=schema,cn=config" (00000001)
added: "cn={4}nis,cn=schema,cn=config" (00000001)
added: "cn={5}openldap,cn=schema,cn=config" (00000001)
added: "cn={6}pmi,cn=schema,cn=config" (00000001)
olcAttributeTypes: value #0 olcAttributeTypes: Duplicate attributeType:
"1.3.6.1.4.1.42.2.27.8.1.1" slapadd: could not add entry
dn="cn={7}ppolicy,cn=schema,cn=config" (line=396): olcAttributeTypes:
Duplicate attributeType: "1.3.6.1.4.1.42.2.27.8.1.1" Closing DB...
The slapd.d directory is of course empty before import. Anything I might
have missed?
Thanks
Ede
P.S. Most likely well known, as I have not altered it, but here is the
offending part alltogether:
dn: cn={7}ppolicy,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {7}ppolicy
olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute'
EQUALI TY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge'
EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121. 1.27 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge'
EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121. 1.27 SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory'
EQUALI TY integerMatch ORDERING integerOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.1 21.1.27 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME
'pwdCheckQuality' EQU ALITY integerMatch ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength'
EQUALI TY integerMatch ORDERING integerOrderingMatch  SYNTAX
1.3.6.1.4.1.1466.115. 121.1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME
'pwdExpireWarning' EQ UALITY integerMatch ORDERING integerOrderingMatch
 SYNTAX 1.3.6.1.4.1.1466. 115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME
'pwdGraceAuthNLimit' EQUALITY integerMatch ORDERING
integerOrderingMatch  SYNTAX 1.3.6.1.4.1.146 6.115.121.1.27
SINGLE-VALUE ) olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME
'pwdLockout' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE ) olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME
'pwdLockoutDuration' EQUALITY integerMatch ORDERING
integerOrderingMatch  SYNTAX 1.3.6.1.4.1.14 66.115.121.1.27
SINGLE-VALUE ) olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME
'pwdMaxFailure' EQU ALITY integerMatch ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME
'pwdFailureCountInt erval' EQUALITY integerMatch ORDERING
integerOrderingMatch  SYNTAX 1.3.6.1. 4.1.1466.115.121.1.27
SINGLE-VALUE ) olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME
'pwdMustChange' EQU ALITY booleanMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {13}(
1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange ' EQUALITY
booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME
'pwdSafeModify' EQU ALITY booleanMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {15}(
1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'Loadable module
that instantiates "check_password() function' EQUALITY cas
eExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME
'pwdMaxRecordedFail ure' EQUALITY integerMatch ORDERING
integerOrderingMatch  SYNTAX 1.3.6.1.4. 1.1466.115.121.1.27
SINGLE-VALUE ) olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME
'pwdPolicyChecker' SUP t op AUXILIARY MAY pwdCheckModule )
olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP
top AU XILIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $
pwdInHistory $ pwdC heckQuality $ pwdMinLength $ pwdExpireWarning $
pwdGraceAuthNLimit $ pwdLoc kout $ pwdLockoutDuration $ pwdMaxFailure $
pwdFailureCountInterval $ pwdMu stChange $ pwdAllowUserChange $
pwdSafeModify $ pwdMaxRecordedFailure ) ) structuralObjectClass:
olcSchemaConfig