On Mon, Mar 17, 2025 at 08:04:30AM +0000, Windl, Ulrich wrote:
> but applying
> dn: olcDatabase={-1}frontend,cn=config
> changetype: modify
> replace: olcPasswordHash
> olcPasswordHash: {SSHA256}
>
> fails with:
> modifying entry "olcDatabase={-1}frontend,cn=config"
> ldap_modify: Object class violation (65)
> additional info: attribute 'olcPasswordHash' not allowed
>
> Do I have to add olcFrontendConfig explicitly?
Hi Ulrich,
yes, I did say that the attribute is allowed by *that* objectClass
in particular.
> My frontend has (from 2.4):
> dn: olcDatabase={-1}frontend,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {-1}frontend
>
> In case this is no longer correct ,the upgrade guide for 24-to-2.5
> should be updated.
It is not currently incorrect to create it as such but it won't allow
you to configure important things like you just noticed. As such, it
is documented as "required".
It has always (since at least 2007) been added automatically for you if
you created one from slapd.conf and apart from one place in the Admin
Guide (which I've just corrected), all documentation mentions you should
be adding it if creating one manually. If you spot any other examples
that don't, please report them and we can fix those too.
So whoever create the configuration must have either created it without
reading said documentation or followed the (unfixed) admin guide and
they will realise eventually. In the future, we might consider rejecting
configurations without olcFrontendConfig, that's when we would note
something in the upgrade documentation.
Regards,
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
