Error "no equality matching rule" when editing LDAP Syncprov Overlay

Question

I have an OpenLDAP OLC server (2.4.23) to which I am trying to simply add two attributes to the Syncprov overlay file, but am encountering some difficulty.

Here are the contents of the olcOverlay={0}syncprov.ldif file:

# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\={1}bdb/olcOverlay\={0}syncprov.ldif

dn: olcOverlay={0}syncprov
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 60
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
structuralObjectClass: olcSyncProvConfig
entryUUID: 727d29d6-cc5c-1032-89d0-2fc7acd5ca31
creatorsName: cn=config
createTimestamp: 20131018161654Z
entryCSN: 20131018161654.036436Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20131018161654Z

And I am attempting to apply this LDIF:

# cat SyncprovOverlayAdd2.ldif

dn: olcOverlay={0}syncprov,olcDatabase={1}bdb,cn=config
changetype: modify
add: olcSpCheckpoint
olcSpCheckpoint: 100 30
-
add: olcSpSessionlog
olcSpSessionlog: 1000

The error:

# ldapadd -v -f SyncprovOverlayAdd2.ldif -D "cn=config" -H "ldap://ldap01.lab.com" -W -x

ldap_initialize( ldap://ldap01.lab.com:389/??base )
Enter LDAP Password: 
add olcSpCheckpoint:
    100 30
add olcSpSessionlog:
    1000
modifying entry "olcOverlay={0}syncprov,olcDatabase={1}bdb,cn=config"
ldap_modify: Inappropriate matching (18)
    additional info: modify/add: olcSpCheckpoint: no equality matching rule

I get the same error if I invoke it with ldapmodify. Am I using the wrong add/modify directives or attributes?

Further Troubleshooting Attempts:

I tried modifying the LDIF without the "add:" directives to look like:

dn: olcOverlay={0}syncprov,olcDatabase={1}bdb,cn=config
changetype: add
olcSpCheckpoint: 100 30
olcSpSessionlog: 1000

But when I do that I get a different error:

add olcSpCheckpoint:
    100 30
add olcSpSessionlog:
    1000
adding new entry "olcOverlay={0}syncprov,olcDatabase={1}bdb,cn=config"
ldap_add: Object class violation (65)
    additional info: no objectClass attribute

I don't quite have the hang of these OLC live changes and when you need to add/modify/replace, when "changetype" needs to be set explicitly, when you need to specify an objectClass when using ldapadd/ldapmodify for an existing entry, etc.

Reference: This ServerFault question had an answer that suggested replacing "add" with "replace" for this error, but that did not work for me.

Answer 1

This is http://www.openldap.org/its/index.cgi/?findid=8616 which will be fixed in the OpenLDAP 2.4.47 release.

Answer 2

Two things needed to happen to fix this. I already had an olcSpCheckpoint entry present (but not an olcSpSessionLog entry) in the overlay config file (olcOverlay={0}syncprov.ldif), so I needed to change my "add:" to "replace:" for olcSpCheckpoint, like so:

# cat SyncprovOverlayAdd2.ldif

dn: olcOverlay={0}syncprov,olcDatabase={1}bdb,cn=config
changetype: modify
replace: olcSpCheckpoint
olcSpCheckpoint: 100 30
-
add: olcSpSessionlog
olcSpSessionlog: 1000

So the ServerFault link that I pointed to with my "Reference:" note at the bottom of the OP actually was correct, but I was not able to verify it at first since a second problem was at play (and I still received error messages after fixing the LDIF).

So secondly, even after I fixed the LDIF I was getting error messages that it could not change the entry (I lost the exact messages that appeared in the terminal unfortunately) when trying to apply the LDIF with ldapmodify, but I had the luxury of cloning the VM that my LDAP server was on so that I could play with a copy of it outside of production. And when I ran the same ldapmodify command in the VM clone it applied the LDIF successfully. So my only conclusion was that slapd was messed up on the production server for some strange reason and needed to be restarted. I had tried to avoid that on my single-point-of-failure, production LDAP server (that moreover was supposed to be entirely OLC to prevent things like having to restart slapd), but I bit the bullet and restarted slapd on the LDAP server and after that my changes went through with no issues after that.