LDIF add/replace syntax?

(slapd 2.4.47+dfsg-3+deb10u3 - from Debian 10)

I have searched for previous answers on this question, but despite following the suggestions (use changetype: modify), I am still having problems.

The problem is need to be able to write an LDIF file that has a mixture of new elements and existing elements that need to be modified.

However, neither of the below approaches are working.

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: foo
-
add: olcTLSCertificateFile
olcTLSCertificateFile: foo
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: foo
-
add: olcTLSCipherSuite
olcTLSCipherSuite: foo
-
add: olcTLSVerifyClient
olcTLSVerifyClient: foo

When run with ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/myconfigs/ldifs/certs.ldif" gives the following error:

          SASL/EXTERNAL authentication started                                                                                                                                      
          SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth                                                                                                    
          SASL SSF: 0                                                                                                                                                               
          ldap_modify: Inappropriate matching (18)                                                                                                                                  
                additional info: modify/add: olcTLSCACertificateFile: no equality matching rule  

If I then adapt to a replace style:

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: foo
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: foo
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: foo
-
replace: olcTLSCipherSuite
olcTLSCipherSuite: foo
-
replace: olcTLSVerifyClient
olcTLSVerifyClient: foo

The error changes to :

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Other (e.g., implementation specific) error (80)

What is the correct syntax for "add if does not exist and replace if exists" ?


Replace actually is a "add if does not exist and replace if exists".

rfc2849 states

"There is a one-to-one correlation between LDAP operations that modify the directory (add, delete, modify, and modrdn), and the types of changerecords described below ("add", "delete", "modify", and "modrdn" or "moddn"). This correspondence is intentional, and permits a straightforward translation from LDIF changerecords to protocol operations."

Okay, let's see how these protocol operations should work in rfc4511, section 4.6.

"replace: replace all existing values of the modification attribute with the new values listed, creating the attribute if it did not already exist. A replace with no value will delete the entire attribute if it exists, and it is ignored if the attribute does not exist."

Okay, that's even better, it's "add if not present", "replace if present" and even a "delete".

Let's try that.

Suppose I have this entity in my directory.

dn: cn=timor,ou=people,dc=orga,dc=tld
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
cn: timor
gidNumber: 10001
homeDirectory: /home/timor
sn: None
uid: timor
uidNumber: 10001
displayName: Timor
givenName: Timor
userPassword:: <stripped>

I set up this LDIF, that adds three mail values to the entity, not using "add" but "replace".

dn: cn=timor,ou=people,dc=orga,dc=tld
changetype: modify
replace: mail
mail: first
mail: second
mail: third

Just ldapmodify that to the directory.

timor@somehost ~ $ ldapmodify -x -H ldaps://localhost -D "cn=Manager,dc=orga,dc=tld" -w "superSecret" -f /tmp/3mail.ldif 
modifying entry "cn=timor,ou=people,dc=orga,dc=tld"

Works fine. (I am not going to paste even more LDIFs, I believe you trust me that the values are there)

So this actually shows, that there's some other problem. Unfortunately, OpenLDAP's error message "ldap_modify: Other (e.g., implementation specific) error (80)" isn't very helpful, either. I've seen it more than once and often for completely different reasons, e. g. schema violations, permission problems and what not.

My advise would be to stick to your second (changetype: modify) snippet and turn on debugging with -d -1 when issuing the ldapmodify command. If that doesn't help - and I fear it won't - you can do the same with slapd itself, same -d -1 option, and have a close look at the log file while you are issuing the ldapmodify command.