Error "no equality matching rule" when editing LDAP Syncprov Overlay

Question

I have an OpenLDAP OLC server (2.4.23) to which I am trying to simply add two attributes to the Syncprov overlay file, but am encountering some difficulty.

Here are the contents of the olcOverlay={0}syncprov.ldif file:

# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\={1}bdb/olcOverlay\={0}syncprov.ldif

dn: olcOverlay={0}syncprov objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpCheckpoint: 100 60 olcSpNoPresent: TRUE olcSpReloadHint: TRUE structuralObjectClass: olcSyncProvConfig entryUUID: 727d29d6-cc5c-1032-89d0-2fc7acd5ca31 creatorsName: cn=config createTimestamp: 20131018161654Z entryCSN: 20131018161654.036436Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20131018161654Z 

And I am attempting to apply this LDIF:

# cat SyncprovOverlayAdd2.ldif

dn: olcOverlay={0}syncprov,olcDatabase={1}bdb,cn=config changetype: modify add: olcSpCheckpoint olcSpCheckpoint: 100 30 - add: olcSpSessionlog olcSpSessionlog: 1000 

The error:

# ldapadd -v -f SyncprovOverlayAdd2.ldif -D "cn=config" -H "ldap://ldap01.lab.com" -W -x

ldap_initialize( ldap://ldap01.lab.com:389/??base ) Enter LDAP Password: add olcSpCheckpoint: 100 30 add olcSpSessionlog: 1000 modifying entry "olcOverlay={0}syncprov,olcDatabase={1}bdb,cn=config" ldap_modify: Inappropriate matching (18) additional info: modify/add: olcSpCheckpoint: no equality matching rule 

I get the same error if I invoke it with ldapmodify. Am I using the wrong add/modify directives or attributes?

Further Troubleshooting Attempts:

I tried modifying the LDIF without the "add:" directives to look like:

dn: olcOverlay={0}syncprov,olcDatabase={1}bdb,cn=config changetype: add olcSpCheckpoint: 100 30 olcSpSessionlog: 1000 

But when I do that I get a different error:

add olcSpCheckpoint: 100 30 add olcSpSessionlog: 1000 adding new entry "olcOverlay={0}syncprov,olcDatabase={1}bdb,cn=config" ldap_add: Object class violation (65) additional info: no objectClass attribute 

I don't quite have the hang of these OLC live changes and when you need to add/modify/replace, when "changetype" needs to be set explicitly, when you need to specify an objectClass when using ldapadd/ldapmodify for an existing entry, etc.

Reference: This ServerFault question had an answer that suggested replacing "add" with "replace" for this error, but that did not work for me.

Answer 1

This is http://www.openldap.org/its/index.cgi/?findid=8616 which will be fixed in the OpenLDAP 2.4.47 release.

Answer 2

Two things needed to happen to fix this. I already had an olcSpCheckpoint entry present (but not an olcSpSessionLog entry) in the overlay config file (olcOverlay={0}syncprov.ldif), so I needed to change my "add:" to "replace:" for olcSpCheckpoint, like so:

# cat SyncprovOverlayAdd2.ldif

dn: olcOverlay={0}syncprov,olcDatabase={1}bdb,cn=config changetype: modify replace: olcSpCheckpoint olcSpCheckpoint: 100 30 - add: olcSpSessionlog olcSpSessionlog: 1000 

So the ServerFault link that I pointed to with my "Reference:" note at the bottom of the OP actually was correct, but I was not able to verify it at first since a second problem was at play (and I still received error messages after fixing the LDIF).

So secondly, even after I fixed the LDIF I was getting error messages that it could not change the entry (I lost the exact messages that appeared in the terminal unfortunately) when trying to apply the LDIF with ldapmodify, but I had the luxury of cloning the VM that my LDAP server was on so that I could play with a copy of it outside of production. And when I ran the same ldapmodify command in the VM clone it applied the LDIF successfully. So my only conclusion was that slapd was messed up on the production server for some strange reason and needed to be restarted. I had tried to avoid that on my single-point-of-failure, production LDAP server (that moreover was supposed to be entirely OLC to prevent things like having to restart slapd), but I bit the bullet and restarted slapd on the LDAP server and after that my changes went through with no issues after that.