Problem: After a LDAP schema was removed, there are still some references in your LDAP

Knowledge Base Community
, , , , ,
#1

Problem

After a LDAP schema was removed based on this article Remove LDAP schema extensions, there are still some references in your LDAP.
You will get the following message, when you use slapindex, slapschema or slaptest.

$ slapindex
WARNING!
Runnig as root!
There's a fair chance slapd will fail to start.
Check file permissions!

5cade2d2 UNKNOWN attributeDescription "OWNCLOUDENABLED" inserted.
5cade2d2 UNKNOWN attributeDescription "OWNCLOUDQUOTA" inserted.

Solution

You need to reload the LDAP database to purge old attributes, which are no longer defined by schema.
Attention! In large environments this my take a lot of time.

$ mkdir ~/ldap-backup 
$ systemctl stop slapd.service
$ slapcat -l ~/ldap-backup/backup.ldif
$ cp ~/ldap-backup/backup.ldif{,.bak}

You have to edit the ~/ldap-backup/backup.ldif and remove the references to the above attributes (i.e.
OWNCLOUDQUOTA) in the ~/ldap-backup/backup.ldif

$ mv /var/lib/univention-ldap/ldap/*.* ~/ldap-backup/
$ ucr commit /var/lib/univention-ldap/ldap/DB_CONFIG 
$ slapadd -l ~/ldap-backup/backup.ldif 
$ systemctl start slapd.service

Alternatives

Instead of cleaning up, you can also register the schema file, if it is still on the Server:

  • For a well-known schema running the UMC diagnostics check can do this automatically:
    univention-run-diagnostic-checks -t 60_old_schema_registration
  • For custom and other schema this can be done manually:
#!/bin/bash
. /usr/share/univention-lib/ldap.sh
ucs_registerLDAPExtension --packagename <my-own-schema> --packageversion 1.0 --schema /var/lib/univention-ldap/local-schema/my-own.schema
7 Likes
Remove LDAP schema extensions
Removal of opsi4ucs schema
UMC / Users: Internal Server Error after Update 4.4-9 --> 5.0-2 errata373
Uninstall Cool Solution LDAP Custom ACLs in UCS 5.x
Problem: User cannot login anymore via ssh and terminalserver
#2
#3

Be warned that such attributes lacking a schema definition can break UDN/UDL replication or prevent DC Backups/Replicas from being joined: the OpenLDAP server seems to return former regular attributes as operations attributes if the attributes are left behind but the schema file is deleted. They are then returned when asking about all operational attributes (ldapsearch +), which breaks replication via UDN/UDL: joining a DC Backup/Replica will no longer be possible as UDL replication.py just does such a query for all operation attributes and will try to feed them to the local OpenLDAP server, which rejects them as there is no schema for them.
Searching explicitly for entries with these attributes after the schema is removed will not return those entries as the schema definition contained the SYNTAX type and EQUALITY comparison specification, which are then missing and will prevent the search from working.

#4

If you can’t find your old schema definitions in the .ldif file but still get complaints, you might look at your LDAP ACLS as well: 3.3. LDAP-Verzeichnisdienst — Univention Corporate Server - Handbuch für Benutzer und Administratoren

Mastodon