Problem: After a ldap schema was removed, there are still some references in your ldap

Knowledge Base Community
, , , , ,
#1

Problem:

After a LDAP schema was removed based on this article Remove LDAP schema extensions, there are still some references in your LDAP.
You will get the follwing message, when you use slapindex, slapschema or slaptest.

~# slapindex
WARNING!
Runnig as root!
There's a fair chance slapd will fail to start.
Check file permissions!

5cade2d2 UNKNOWN attributeDescription "OWNCLOUDENABLED" inserted.
5cade2d2 UNKNOWN attributeDescription "OWNCLOUDQUOTA" inserted.

Solution:

You need to find the references and reload the ldap.
Attention! In large environments this my take a lot of time.

root@ucs:~# mkdir ldap-backup 
root@ucs:~# cd ldap-backup 
root@ucs:~/ldap-backup# /etc/init.d/slapd stop 
root@ucs:~/ldap-backup# slapcat > backup.ldif
root@ucs:~/ldap-backup# cp backup.ldif{,.bak}

You have to edit the backup.ldif and remove the references to the above attributes (i.e.
OWNCLOUDQUOTA) in the backup.ldif

root@ucs:~# cd
root@ucs:~# mkdir DB
root@ucs:~# mv /var/lib/univention-ldap/ldap/* DB/
root@ucs:~# ucr commit /var/lib/univention-ldap/ldap/DB_CONFIG 
root@ucs:~# slapadd < ldap-backup/backup.ldif 
root@ucs:~# /etc/init.d/slapd start

Instead of cleaning up, you can also register the schema file, if it is still on the Server:

#!/bin/bash
. /usr/share/univention-lib/ldap.sh
ucs_registerLDAPExtension --packagename <my-own-schema> --packageversion 1.0 --schema /var/lib/univention-ldap/local-schema/my-own.schema
7 Likes
Remove LDAP schema extensions
Removal of opsi4ucs schema
UMC / Users: Internal Server Error after Update 4.4-9 --> 5.0-2 errata373
Uninstall Cool Solution LDAP Custom ACLs in UCS 5.x
Problem: User cannot login anymore via ssh and terminalserver
#2
#3

Be warned that such attributes lacking a schema definition can break UDN/UDL replication or prevent DC Backups/Replicas from being joined: the OpenLDAP server seems to return former regular attributes as operations attributes if the attributes are left behind but the schema file is deleted. They are then returned when asking about all operational attributes (ldapsearch +), which breaks replication via UDN/UDL: joining a DC Backup/Replica will no longer be possible as UDL replication.py just does such a query for all operation attributes and will try to feed them to the local OpenLDAP server, which rejects them as there is no schema for them.
Searching explicitly for entries with these attributes after the schema is removed will not return those entries as the schema definition contained the SYNTAX type and EQUALITY comparison specification, which are then missing and will prevent the search from working.

#4

If you can’t find your old schema definitions in the .ldif file but still get complaints, you might look at your LDAP ACLS as well: 3.3. LDAP-Verzeichnisdienst — Univention Corporate Server - Handbuch für Benutzer und Administratoren

Mastodon