Did I import inetOrgPerson schema correctly for OpenLDAP on Alpine Linux?

Question

I'm trying to import a user into OpenLDAP on Alpine Linux. Here's the LDIF that I named searchUser.ldif:

# Search account
dn: uid=search,dc=home
changetype: add
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: search
sn: search
uid: search

The command I used to import it is:

ldapadd -x -D "cn=Manager,dc=home" -w supersecret -f searchUser.ldif

The error I get is:

ldap_add: Invalid syntax (21) additional info: objectClass: value #2 invalid per syntax

My understanding of this is the objectClasses are numbered, starting with 0, and that #2 indicates the problem is with inetOrgPerson.

I've done this successfully using OpenLDAP on Raspberry Pi OS (debian). However, I get the feeling the Debian package automates some configuration steps that the Alpine package does not. One of those steps I think Debian does during the package install is to import inetOrgPerson schema.

I've tried to do the schema import manually. Here are the steps I took prior to trying the LDIF import...

I scripted my install of OpenLDAP on Alpine, like so:

export DOMAIN="dc=home"
 
echo "Installing packages..."
apk add openldap openldap-back-mdb openldap-clients
 
echo "Configuring for v2.3+ style slapd.d config directory..."
install -m 755 -o ldap -g ldap -d /etc/openldap/slapd.d
sed -i~ \
  -e 's/^cfgfile=/#cfgfile=/' \
  -e 's/^#cfgdir=.*/cfgdir=\"\/etc\/openldap\/slapd.d\"/' \
  /etc/conf.d/slapd
rm /etc/openldap/slapd.conf
 
echo "Customizing for domain: ${DOMAIN}..."
sed -i~ \
  -e 's/\.la$/.so/' \
  -e "s/dc=my-domain,dc=com/${DOMAIN}/" /etc/openldap/slapd.ldif
 
echo "Importing configuration..."
slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif
chown -R ldap:ldap /etc/openldap/slapd.d/*
 
echo "Configuring slapd service..."
install -m 755 -o ldap -g ldap -d /var/lib/openldap/run
service slapd start
rc-update add slapd

The slapd service started and I could connect to it with command-line tools and from a client over port 389. So far, so good.

The next thing I did was to import schema for cosine and inetOrgPerson. I believe the Debian package did this automatically, because I don't recall having to do this previously.

Here's what I did on Alpine to import the schema:

slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/schema/cosine.ldif
slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/schema/inetorgperson.ldif

There were no errors.

I then created an organization using the command ldapadd -x -D "cn=Manager,dc=home" -w secret -f org.ldif and this LDIF as org.ldif:

dn: dc=home
objectclass: dcObject
objectclass: organization
o: Home
dc: home

dn: cn=Manager,dc=home
objectclass: organizationalRole
cn: Manager

This too was successful.

I can also create organizational units with this LDIF:

# Organizational unit for users
dn: ou=People,dc=home
changetype: add
objectClass: organizationalUnit
ou: People

# Organizational unit for groups.
dn: ou=Groups,dc=home
changetype: add
objectClass: organizationalUnit
ou: Groups

So I think my server is okay, but I may have done something wrong with the inetOrgPerson schema import that's causing the Invalid syntax (21) error.

Is the way I'm importing the inetOrgPerson schema correct? Is there a way to verify it?

Answer 1

I believe the problem was due to incorrect ownership for the new files in the /etc/openldap/slapd.d/cn=config/cn=schema directory. Once I fixed that, I was able to import the search user.

Because I ran the slapd commands as the root user, the resulting schema config files were owned by root. I discovered this when I restarted the slapd service and it failed with this error in /var/log/messages:

ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif"

The solution was to change ownership on the files. This is the correct ownership:

alpine:/etc/openldap/slapd.d/cn=config/cn=schema# ls -l
total 32
-rw-------    1 ldap     ldap         15575 May  5 12:43 cn={0}core.ldif
-rw-------    1 ldap     ldap         11361 May  5 14:53 cn={1}cosine.ldif
-rw-------    1 ldap     ldap          2855 May  5 14:53 cn={2}inetorgperson.ldif

So the answer to this question is...

1. Yes, importing with slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/schema/inetorgperson.ldif worked fine, but the command should have been run as the ldap user so the ownership is correct. (Or run as root and change ownership after.)
2. One way to verify the schema is to look inside the /etc/openldap/slapd.d directory. Specifically, /etc/openldap/slapd.d/cn=config/cn=schema shows evidence of the schema I added.

Even with the potential for incorrect file ownership, I see this as a much easier way to add schema than some of the other tutorials I've found that involve creating and editing a temporary slapd.conf file.