Converting slapd.conf to a Directory Based Configu
Converting slapd.conf to a Directory Based Configu
OpenLDAP 2.4
OpenLDAP 2.4 provides some great new features over 2.3. Notable among them are the ability to store configuration data in the directory and change values on the fly.
Converting slapd.conf to a Directory Based Configuration
OpenLDAP 2.4 maintains an LDIF-based online directory in /etc/openldap/slapd.d/ (or otherwise specified location). In order to use this, you must seed the directory one of two ways. One way is to convert an existing slapd.conf file, which is illustrated below. Note that to access the newly minted cn=config, you should create an entry in your slapd.conf to provide a root password to this entry, or otherwise provide a useful ACL/ACI which gives a user access.
To convert a standard slapd.conf file to the new format, issue the following command (re: man slapd-config):
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.dNote that the directory /etc/openldap/slapd.d must exist prior to this command successfully completing.
After importing the config file, start the OpenLDAP server:
/etc/init.d/ldap start
Verify that the server is running:
- ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
After validating that the server will start and stop, import some data with an LDIF file:
slapadd -l <file>.ldif
When attempting this, I get an error about an invalid attribute for an objectclass:
# slapadd -l slapcat.out
str2entry: invalid value for attributeType objectClass #1 (syntax 1.3.6.1.4.1.1466.115.121.1.38)
slapadd: could not parse entry (line=1)Missing a schema, had to add cosine schema to get this to work.
When attempting to add the schema ldif, I get this error:
# ldapadd -x -H ldap://locahost -D "cn=manager,dc=example,dc=org" -W -f core.ldif
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)I switched back to using the slapd.conf file to get this to work, and emptying out the /var/lib/openldap-data directory, reattempting the slapadd, I get the following:
# slapadd -l backup.ldif
bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/openldap-data: (2).
Expect poor performance for suffix "dc=example,dc=org".
<= str2entry: str2ad(pwdHistory): attribute type undefined
slapadd: could not parse entry (line=79)Missing ppolicy overlay.
``
Adding some schemas:
# ldapadd -x -H ldap://localhost/ -D "cn=config" -W -f schema/archive/cosine.ldif
Enter LDAP Password:
adding new entry "cn=cosine,cn=schema,cn=config"
# ldapadd -x -H ldap://localhost/ -D "cn=config" -W -f schema/archive/inetorgperson.ldif
Enter LDAP Password:
adding new entry "cn=inetorgperson,cn=schema,cn=config"
# ldapadd -x -H ldap://localhost/ -D "cn=config" -W -f schema/archive/nis.ldif
Enter LDAP Password:
adding new entry "cn=nis,cn=schema,cn=config"
# ldapadd -x -H ldap://localhost/ -D "cn=config" -W -f schema/archive/openldap.ldif
Enter LDAP Password:
adding new entry "cn=openldap,cn=schema,cn=config"``
Note that you cannot (as of version 2.4.7) use slapindex to generate the cn=config configuration, use slaptest:
# cd /etc/openldap
# mkdir slapd.d
# /usr/sbin/slapindex -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
# echo $?
0
Program exits without error.
# ls /etc/openldap/slapd.d
Subsequently, running this command immediately after generates the appropriate
cn=config:
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded
# ll slapd.d
total 8
drwxr-x--- 4 root root 4096 Jan 10 13:07 cn=config
-rw------- 1 root root 1097 Jan 10 13:07 cn=config.ldifI have filed an ITS with the OpenLDAP project for this (ITS#5321).
``
Querying cn=config
A sample query:
ldapsearch -x -H ldap://localhost/ -D "cn=config" -b 'cn=config' -W cn=config
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: cn=config
# requesting: ALL
#
# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/openldap/slapd.conf.WORKING
olcConfigDir: /etc/openldap/slapd.d
olcArgsFile: /var/run/openldap/run/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcLocalSSF: 71
olcLogLevel: Any
olcPidFile: /var/run/openldap/run/slapd.pid
olcReadOnly: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcToolThreads: 1
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1``
Query cn=schema:
ldapsearch -x -H ldap://localhost/ -D "cn=config" -b 'cn=schema,cn=config' -W``
Query cn=config for olcDatabase entries:
Note that this searches for the second database, which is of type bdb.
ldapsearch -x -H ldap://localhost/ -D "cn=config" -b 'olcDatabase={1}bdb,cn=config' -W -LLL``