Unable to set nsslapd-db-locks: Object class violation

[tiran]

Issue Description
I'm unable to configure nsslapd-db-locks with ldapmodify. The attribute is not set by default and adding the attribute to cn=config,cn=ldbm database,cn=plugins,cn=config fails with an object class violation. I'm getting the same error with Apache Directory Studio, too.

Also see #1965

Package Version and Platform:

• 389-ds-base-1.4.3.12-1.fc32.x86_64

Steps to Reproduce

Run ldapmodify as DM with LDIF:

dn: cn=config,cn=ldbm database,cn=plugins,cn=config
changetype: modify
add: nsslapd-db-locks
nsslapd-db-locks: 50000

2020-09-24T08:53:19Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/usr/share/ipa/ldbm-tuning.ldif', '-H', 'ldapi://%2Frun%2Fslapd-IPA-TEST.socket', '-Y', 'EXTERNAL']
2020-09-24T08:53:19Z DEBUG Process finished, return code=65
2020-09-24T08:53:19Z DEBUG stdout=add nsslapd-db-locks:
	50000
modifying entry "cn=config,cn=ldbm database,cn=plugins,cn=config"


2020-09-24T08:53:19Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-IPA-TEST.socket/??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Object class violation (65)

[24/Sep/2020:05:25:26.390095052 -0400] conn=28 op=25 MOD dn="cn=config,cn=ldbm database,cn=plugins,cn=config"
[24/Sep/2020:05:25:26.398206080 -0400] conn=28 op=25 RESULT err=65 tag=103 nentries=0 wtime=0.000419644 optime=0.008146619 etime=0.008562423

Expected results
no error

Additional context

cn=config,cn=ldbm database,cn=plugins,cn=config has class extensibleObject but no schema provides the attribute nsslapd-db-locks. I think this triggers the violation.

[vashirov]

Please try with replace instead of add:

# ldapsearch -LLL -D cn=directory\ manager -w password -b "cn=config,cn=ldbm database,cn=plugins,cn=config" nsslapd-db-locks | grep nsslapd-db-locks 
nsslapd-db-locks: 10000
# cat db-locks.ldif
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-db-locks
nsslapd-db-locks: 50000

# ldapmodify -D cn=directory\ manager -w password -f db-locks.ldif 
modifying entry "cn=config,cn=ldbm database,cn=plugins,cn=config"

# ldapsearch -LLL -D cn=directory\ manager -w password -b "cn=config,cn=ldbm database,cn=plugins,cn=config" nsslapd-db-locks | grep nsslapd-db-locks 
nsslapd-db-locks: 50000

[vashirov]

The attribute is not set by default

It's not set in dse.ldif but present in cn=config (as seen above). See this comment on why it is like this: #2065 (comment)

[tiran]

dn: cn=config,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-db-locks
nsslapd-db-locks: 50000

does not persist the value. The setting gets lost every time DS is restarted.

[tiran]

mh, it's not getting persistent in cn=config,cn=ldbm database,cn=plugins,cn=config but in cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config.

# ldapmodify -D "cn=Directory Manager" -w Secret123 -f db-locks.ldif 
modifying entry "cn=config,cn=ldbm database,cn=plugins,cn=config"

# ldapsearch -LLL -D "cn=Directory Manager" -w Secret123 -b "cn=config,cn=ldbm database,cn=plugins,cn=config" nsslapd-db-locks | grep -B1 db-locks
dn: cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-db-locks: 70000

[tiran]

This is a bug in FreeIPA, see https://pagure.io/freeipa/issue/8515

Thanks for your assistance, @vashirov

[tiran]

I have opened freeipa/freeipa#5145 to address the FreeIPA bug. There is nothing to do for 389-DS.