How to Fix the jpegPhoto Attribute in OpenLDAP

The OpenLDAP attribute type for jpegPhoto has not been updated in two decades. As late as version 2.4.59, the definition still follows the original articulation in RFC 2798 from 2003:

 ( 0.9.2342.19200300.100.1.60  
   NAME 'jpegPhoto'  
   DESC 'a JPEG image'  
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )

This definition creates a serious issue for any modern LDAP administrator because it does not allow for the modification or deletion of the jpegPhoto content once set. Such actions receive the following error:

[LDAP result code 18 - InappropriateMatching] modify/delete: jpegPhoto: no equality matching rule

To fix this issue, it is necessary to update the syntax and add an equality matching rule.

Solution

1. Copy the following query into jpeg.ldif:

   dn: cn={3}inetorgperson,cn=schema,cn=config
   changetype: modify
   delete: olcAttributeTypes
   olcAttributeTypes: {5}( 0.9.2342.19200300.100.1.60 NAME 'jpegPhoto' SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )
   -
   add: olcAttributeTypes
   olcAttributeTypes: {5}( 0.9.2342.19200300.100.1.60 NAME 'jpegPhoto' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
   

2. Execute:

   sudo ldapmodify -QY EXTERNAL -H ldapi:/// -f jpeg.ldif
   

Reference

• LDAP Wiki: jpegPhoto
• OpenLDAP Admin Guide: Attribute Specification