How to Properly Delete olcDatabase Configuration in OpenLDAP Using ldapdelete


2 views

When working with OpenLDAP's dynamic configuration (cn=config), you might encounter situations where duplicate database configurations cause errors. The specific error message:

ldap_add: Other (e.g., implementation specific) error (80)
    additional info: <olcSuffix> namingContext "dc=home,dc=local" already served by a preceding hdb database

indicates that your attempted configuration conflicts with an existing database definition in the OpenLDAP server.

The normal approach of using:

sudo ldapdelete 'dc=example,dc=local'

fails because:

  1. You're trying to delete data entries when you need to modify configuration entries
  2. The cn=config backend requires SASL authentication
  3. No olcRootPW was set in the initial configuration

To remove the improperly configured database, use this EXTERNAL SASL authentication method:

sudo ldapdelete -Y EXTERNAL -H ldapi:/// "olcDatabase={1}hdb,cn=config"

Key points about this command:

  • -Y EXTERNAL uses system-level authentication (root privileges)
  • -H ldapi:/// connects to the local LDAP socket
  • The DN specifies the exact configuration entry to remove

If ldapdelete doesn't work, you can use ldapmodify with a delete operation:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase={1}hdb,cn=config
changetype: delete
EOF

After deletion, verify the configuration is clean:

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

Look for any remaining database configurations with the same suffix.

Once the conflicting database is removed, you can properly configure a new database:

sudo ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=example,dc=local
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=local
olcRootPW: {SSHA}hashedpassword
olcDbIndex: objectClass eq
EOF

When working with OpenLDAP's dynamic configuration (cn=config), you might encounter situations where you need to remove improperly configured database entries. The specific error message:

ldap_add: Other (e.g., implementation specific) error (80)
    additional info:  namingContext "dc=home,dc=local" already served by a preceding hdb database

indicates a naming conflict in your LDAP configuration that needs to be resolved before proceeding.

The standard ldapdelete command won't work for cn=config modifications because:

  • No password was set in olcRootPW
  • cn=config requires SASL authentication
  • The entry exists in the configuration backend, not the regular database

To delete the database configuration, use this EXTERNAL SASL authentication method:

sudo ldapdelete -Y EXTERNAL -H ldapi:/// "olcDatabase={1}hdb,cn=config"

Key parameters:

  • -Y EXTERNAL: Uses system authentication (root privileges)
  • -H ldapi:///: Connects to local LDAP server
  • The DN format for config entries is specific

After deletion, confirm with:

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcDatabase=*)" dn

This will list all remaining database configurations.

After cleaning up, here's how to properly reconfigure:

# First create a temporary LDIF file
cat > new_config.ldif <
  • Always check existing configurations before adding new ones
  • For production systems, consider using slapcat/slapadd for backups
  • The index number ({1} in olcDatabase) is automatically assigned
  • Use slaptest -v to validate configuration syntax