i was experimenting a bit with adding new databases to the config, and found that if the olcsuffix attribute was not provided, it would fail:

cat db.ldif

dn: olcDatabase=hdb,cn=config changetype: add objectClass: olcHdbConfig olcDatabase: hdb olcDbDirectory: /var/lib/ldap/example.org

ldapadd -xWZZH 'ldap://dsa.example.com/' -D 'uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com' -f db.ldif

Enter LDAP Password: adding new entry "olcDatabase=hdb,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: <olcDbDirectory> failed startup

tail -F slapd.log

Feb 21 19:39:41 flip slapd[19134]: conn=1535 fd=64 ACCEPT from IP=192.168.1.1:36891 (IP=0.0.0.0:389) Feb 21 19:39:41 flip slapd[19134]: conn=1535 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Feb 21 19:39:41 flip slapd[19134]: conn=1535 op=0 STARTTLS Feb 21 19:39:41 flip slapd[19134]: conn=1535 op=0 RESULT oid= err=0 text= Feb 21 19:39:41 flip slapd[19134]: conn=1535 fd=64 TLS established tls_ssf=128 ssf=128 Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=1 BIND dn="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com" method=128 Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=1 BIND dn="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com" mech=SIMPLE ssf=0 Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=1 RESULT tag=97 err=0 text= Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=2 ADD dn="olcDatabase=hdb,cn=config" Feb 21 19:39:43 flip slapd[19134]: hdb_db_open: need suffix. Feb 21 19:39:43 flip slapd[19134]: backend_startup_one (type=hdb, suffix="(null)"): bi_db_open failed! (-1) Feb 21 19:39:43 flip slapd[19134]: olcDbDirectory: value #0: <olcDbDirectory> failed startup (0?:?X#024c?/ldap/example.org)! Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=2 RESULT tag=105 err=80 text=<olcDbDirectory> failed startup Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=3 UNBIND Feb 21 19:39:43 flip slapd[19134]: conn=1535 fd=64 closed

providing an olcSuffix attribute in the ldif allowed the new database to be added without error:

ldapadd -xWZZH 'ldap://dsa.example.com/' -D 'uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com' -f db.ldif

Enter LDAP Password: adding new entry "olcDatabase=hdb,cn=config"

tail -F slapd.log

Feb 21 19:43:21 flip slapd[19134]: conn=1537 fd=44 ACCEPT from IP=192.168.1.1:36900 (IP=0.0.0.0:389) Feb 21 19:43:21 flip slapd[19134]: conn=1537 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Feb 21 19:43:21 flip slapd[19134]: conn=1537 op=0 STARTTLS Feb 21 19:43:21 flip slapd[19134]: conn=1537 op=0 RESULT oid= err=0 text= Feb 21 19:43:21 flip slapd[19134]: conn=1537 fd=44 TLS established tls_ssf=128 ssf=128 Feb 21 19:43:23 flip slapd[19134]: conn=1537 op=1 BIND dn="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com" method=128 Feb 21 19:43:23 flip slapd[19134]: conn=1537 op=1 BIND dn="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com" mech=SIMPLE ssf=0 Feb 21 19:43:23 flip slapd[19134]: conn=1537 op=1 RESULT tag=97 err=0 text= Feb 21 19:43:23 flip slapd[19134]: conn=1537 op=2 ADD dn="olcDatabase=hdb,cn=config" Feb 21 19:43:24 flip slapd[19134]: conn=1537 op=2 RESULT tag=105 err=0 text= Feb 21 19:43:24 flip slapd[19134]: conn=1537 op=3 UNBIND

this behavior wasn't really all that surprising to me, as i don't really know in what capacity there might be a database without a suffix defined, even if it were just "", but what i am curious about is the schema definition for the olcHdbConfig object class. the best i can tell, only olcDatabase and olcDbDirectory are MUST attributes, while olcSuffix is not:

ldapsearch -xH 'ldap://dsa.example.com/' -s base -b 'cn=subschema' '*' '+' | grep -iFA 5 "NAME 'olcHdbConfig'"

objectClasses: ( 1.3.6.1.4.1.4203.1.12.2.4.2.1.2 NAME 'olcHdbConfig' DESC 'HDB backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ olcDbCryptFile $ olcDb CryptKey $ olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ ol cDbLinearIndex $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFree $ olcDbDNcacheSize $ olcDbPageSize ) )

ldapsearch -xH 'ldap://dsa.example.com/' -s base -b 'cn=subschema' '*' '+' | grep -iFA 7 "NAME 'olcDatabaseConfig'"

objectClasses: ( 1.3.6.1.4.1.4203.1.12.2.4.0.4 NAME 'olcDatabaseConfig' DESC ' OpenLDAP Database-specific options' SUP olcConfig STRUCTURAL MUST olcDatabase MAY ( olcHidden $ olcSuffix $ olcSubordinate $ olcAccess $ olcAddContentAcl $ olcLastMod $ olcLimits $ olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcRe plica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplicationInterval $ olc ReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncUseSubentry $ olcSyncrepl $ olcTimeLimi t $ olcUpdateDN $ olcUpdateRef $ olcMirrorMode $ olcMonitoring ) )

why is olcSuffix not a MUST attribute if the database can't be added without it? are there cases different than my exercise where a database might be added without the need for a suffix? it's not anything that's causing an insurmountable hurdle, just mostly curious if this was intended.

-ben