LDAP Configuration Error: Fixing “wrong attributeType” When Enabling MirrorMode with ldapadd


4 views

When working with OpenLDAP's dynamic configuration (cn=config), many administrators encounter the "wrong attributeType" error when trying to enable MirrorMode. The issue typically occurs when executing an ldapadd operation with a configuration like:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcMirrorMode 
olcMirrorMode: TRUE

The error message suggests the attribute type is incorrect, but the deeper issue lies in OpenLDAP's schema validation. MirrorMode configuration requires proper schema support that isn't loaded by default in many OpenLDAP installations.

First, verify your OpenLDAP version supports MirrorMode (2.4+ required). Then use this corrected LDIF:

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=001 provider=ldap://master.example.com bindmethod=simple
  binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com"
  type=refreshAndPersist retry="5 5 300 5" timeout=1

add: olcMirrorMode
olcMirrorMode: TRUE

After applying the configuration, verify with:

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcMirrorMode=*)"

Key points to check:

  • syncprov module is loaded
  • Both servers have identical configuration
  • Firewall allows replication traffic

For production environments, consider adding these security parameters:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=001 provider=ldaps://master.example.com:636 bindmethod=sasl
  saslmech=EXTERNAL tls_reqcert=demand searchbase="dc=example,dc=com"
  type=refreshAndPersist retry="60 +"

replace: olcMirrorMode
olcMirrorMode: TRUE

When working with OpenLDAP's dynamic configuration (cn=config), the error wrong attributeType typically indicates either:

  1. The attribute doesn't exist in the schema
  2. You're using incorrect syntax for the attribute
  3. The attribute isn't valid for the specified entry

In your specific case with:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcMirrorMode 
olcMirrorMode: TRUE

The issue stems from OpenLDAP's evolution. Modern versions (2.4.23+) use olcSyncrepl instead of olcMirrorMode for replication configuration.

For OpenLDAP 2.4.23+

Use syncrepl configuration instead:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://primary.example.com bindmethod=simple
  binddn="cn=replicator,dc=example,dc=com" credentials=secret
  searchbase="dc=example,dc=com" type=refreshAndPersist
  retry="5 5 300 5" timeout=1

For Older Versions (Pre-2.4.23)

If you must use mirror mode, verify:

# Check supported attributes
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config cn={4}core

When facing attribute errors:

  1. Verify schema support: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config
  2. Check valid attributes for the entry: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
  3. Consult documentation for your specific OpenLDAP version
  • Mixing old and new configuration styles
  • Assuming attribute names without verification
  • Not checking OpenLDAP version compatibility

OpenLDAP changed several configuration attributes between versions. Always:

# Check your version
slapd -V

For modern deployments, consider using olcOverlay=syncprov instead of legacy mirror mode.