openLDAP ldap_modify: Server is unwilling to perform (53) when trying to delete custom schema

Question

I have created this custom and very basic schema:

objectclass ( 2.25.2.2.1
    NAME 'myObjectClass'
    DESC 'myObjectClass objectclass'
    STRUCTURAL
    MUST ( cn )
    )

I have added it without problem with this myObjectClass.ldif file:

dn: cn=myObjectClass,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: myObjectClass
olcObjectClasses: {0}( 2.25.2.2.1 NAME 'myObjectClass' DESC 'myObjectClass objectclass' STRUCTURAL MUST cn )

Using ldapmodify:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f myObjectClass.ldif

Now I'm trying to delete it with delete.ldif:

dn: cn=schema,cn=config
changetype: modify
delete: objectClass
objectClass: 2.25.2.2.1

Using ldapmodify always get ldap_modify: Server is unwilling to perform (53):

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f delete.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=schema,cn=config"
ldap_modify: Server is unwilling to perform (53)

I'm running Ubuntu 14.04 Server with OpenLDAP 2.4.31

I have searched this in the official docs:

A.2.2. Better cn=schema functionality

In 2.3 you were only able to add new schema elements, not delete or modify existing elements. In 2.4 you can modify schema at will. (Except for the hardcoded system schema, of course.)

Can someone share any clue?

Thanks in advance!

Answer 1

The way to modify schema configuration in 2.4 version of the Openldap server is:

• Remove all entries who use this schema

Then

stopping slapd using slapcat to export the dynamic config to LDIF Modifying the LDIF export to remove the schema in question Remove (or rename) your old dynamic config directory slapadd the updated LDIF start slapd

According this talk on the official site.

Answer 2

Late answer, but anyway: The objectClass was added using

dn: cn=myObjectClass,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: myObjectClass
olcObjectClasses: {0}( 2.25.2.2.1 NAME 'myObjectClass' DESC 'myObjectClass objectclass' STRUCTURAL MUST cn )

but the attempt to delete it was

dn: cn=schema,cn=config
changetype: modify
delete: objectClass
objectClass: 2.25.2.2.1

Obviously the attribute to delete is olcObjectClasses, not objectClass, and the value must be exactly the one stored (if you are lucky, it's the same as you added).

So it can be done (most likely), but it is quite tricky. Consider this value of olcObjectClasses (specifically the spaces):

olcObjectClasses: {3}( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Abstraction an I
 nternet Protocol service.        Maps an IP port and protocol (such as tcp or
  udp)        to one or more names; the distinguished value of        the cn a
 ttribute denotes the services canonical        name' SUP top STRUCTURAL MUST
 ( cn $ ipServicePort $ ipServiceProtocol ) MAY description )

I'm unsure whether the ordering ({3} must match in order to delete an attribute value.

Answer 3

I know this is an old thread but, maybe my answer will help anyone else (including myself in the future)

My OpenLDAP version : slapd (Ubuntu) (Apr 10 2019 12:53:11)

I know that we should never manually edit configuration files, but I already use ldapmodify, ldapdelete none works. This is my last resort that actually works.

cd /etc/ldap
mv slapd.d /var/backups/slapd.d.bak
mkdir slapd.d
slapcat -n0 -F /etc/ldap/slapd.d.old/ > /tmp/config-in-portable-format.ldif

Edit the file /tmp/config-in-portable-format.ldif here...

slapadd -n0 -F /etc/ldap/slapd.d -l /tmp/config-in-portable-format.ldif
chown -R openldap:openldap slapd.d/
chmod -R 755 slapd.d/
/etc/init.d/slapd restart

Answer 4

I have encountered this error while trying to add a schema using

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

and it was telling me:

"ldap_modify: Server is unwilling to perform (53) additional info: no global superior knowledge"

I figured out my ldif file was not well formatted (notice the space i had before the distinguished name). screenshot of my ldif file