Troubleshooting OpenLDAP Error 80: Duplicate AttributeType and Database Configuration Issues


14 views

The error message you're encountering (ldap_add: Other (e.g., implementation specific) error (80)) typically occurs during OpenLDAP configuration when there's either a module loading failure or schema conflicts. In your case, we're seeing both scenarios emerge during different configuration steps.

The first error (<olcModuleLoad> handler exited with 1) suggests the back_hdb module couldn't be loaded. Modern OpenLDAP installations (2.4+) often come with back_hdb pre-loaded. Check existing modules with:

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config 'olcModuleLoad=*'

The duplicate attribute error indicates the cosine schema is already loaded. Verify loaded schemas with:

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config

For already-loaded schemas, you can either skip their re-import or first remove them with:

sudo ldapdelete -Y EXTERNAL -H ldapi:/// 'cn={X}cosine,cn=schema,cn=config'

The final error about namingContext already served suggests a configuration conflict. To inspect existing databases:

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase=*)'

If you find existing configurations using your intended suffix, either modify your LDIF to use a different suffix or remove the conflicting database configuration first.

Here's a cleaner way to configure your OpenLDAP server:

# First, create a minimal backend configuration
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=mycompany,dc=us
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=mycompany,dc=us
olcRootPW: {SSHA}hashedpassword
olcDbIndex: objectClass eq
olcAccess: to attrs=userPassword
  by self write
  by anonymous auth
  by dn.base="cn=admin,dc=mycompany,dc=us" write
  by * none
olcAccess: to * 
  by dn.base="cn=admin,dc=mycompany,dc=us" write
  by * read

Enable detailed logging in /etc/default/slapd:

SLAPD_OPTIONS="-d 16383"

Then monitor the logs while attempting your configuration changes:

tail -f /var/log/syslog | grep slapd

After successful configuration, verify with:

sudo slapcat -n 0 | grep -i mycompany

When setting up OpenLDAP for client authentication, many administrators encounter the frustrating error:

ldap_add: Other (e.g., implementation specific) error (80)
    additional info: <olcModuleLoad> handler exited with 1

This typically occurs during the initial configuration phase when attempting to load backend modules or create database entries.

From analyzing multiple cases, here are the most frequent causes:

1. Module Already Loaded

The initial error suggests the module loading failed. First check existing modules:

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=olcModuleList)'

If you see entries like this:

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb

Then your module is already loaded and you should remove the module loading section from your LDIF file.

2. Duplicate Schema Attributes

When trying to add standard schemas like cosine.ldif, you might encounter:

ldap_add: Other (e.g., implementation specific) error (80)
    additional info: olcAttributeTypes: Duplicate attributeType: "0.9.2342.19200300.100.1.2"

This indicates the schema is already loaded. Verify with:

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config

3. Database Suffix Conflict

A particularly confusing error occurs when adding database configurations:

ldap_add: Other (e.g., implementation specific) error (80)
    additional info: <olcSuffix> namingContext "dc=mycompany,dc=us" already served by a preceding hdb database

Even on fresh installations, OpenLDAP may create default databases. Check existing database configurations:

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=olcDatabaseConfig)'

For a fresh start (recommended for new installations):

sudo apt-get purge slapd ldap-utils
sudo rm -rf /etc/ldap/slapd.d/*
sudo rm -rf /var/lib/ldap/*
sudo apt-get install slapd ldap-utils

Now create a minimal backend.ldif without module loading:

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=mydomain,dc=us
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=mydomain,dc=us
olcRootPW: {SSHA}hashed_password_here
olcDbIndex: objectClass eq
olcAccess: to attrs=userPassword by dn="cn=admin,dc=mydomain,dc=us" write by anonymous auth by self write by * none
olcAccess: to * by dn="cn=admin,dc=mydomain,dc=us" write by * read

To hash your password:

slappasswd -s yourpassword

Then add the configuration:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

After successful configuration, verify with:

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

And test the admin access:

ldapsearch -x -D "cn=admin,dc=mydomain,dc=us" -W -b "dc=mydomain,dc=us"