Configuring OpenLDAP, or what the @#$% !!!

Posted on: Fri, 06 Feb 2015 11:52 By: patrick

OpenLDAP 2.3 (released in 2005) introduced a new way for configuring the slapd daemon. The traditional method was a configuration file (/etc/ldap/slapd.conf on Debian) that could simply be edited with a text editor. The new way follows the Eat your own dog food maxim: The configuration is stored in a set of LDIF files (stored under /etc/ldap/slapd.d in Debian) which cannot be edited directly with a text editor. Instead, all changes must be done via LDAP operations. Funny enough: In order to configure the daemon, the daemon must already be running.

slapd-config, as the new configuration method is called, may be a technically cool feature, but from a casual sysadmin's point of view it is nothing but a major pain in the butt! So you want to quickly change slapd's log level to diagnose some authentication problem? OK, first check the documentation to see where the log level option is located in the configuration schema, and how its attribute is called. Then query the running daemon to look at the current value(s). Then write an .ldif file that contains the change. Then issue a complicated ldapmodify command that requires more cryptic options than tar and cpio combined. Of course the .ldif file contains an error, so diagnose & repeat. After maybe 20 minutes the job is done. Phew, only 20 minutes to change the daemon log level, I am such an LDAP wizard!

Actually when I did this just now it took me more like an hour because I am so not used to the procedure (another explanation might be that I'm just stupid, but hey, I think that's not it). Since I don't want to repeat the experience, I have started to write up some recipes on my wiki. Here's the link in case you are interested.

Topics
Article Styles

Member for

49 years 2 months

Hi,

sorry for stirring up old posts; but for modifying ldap via the commandline I have to recommend ldapvi.
If you are familiar with using vim it should not be that complicated;
and by calling ldapvi cn=config you can edit the slapd-config more easily.

Regards,
groundop

Flattr name
herzbube

Member for

12 years 11 months

Excellent advice, thank you so much! I didn't know about ldapvi, but it virtually saved my ass when I recently had to set up a new server! I added a new entry for ldapvi to my wiki.

Add new comment

The content of this field is kept private and will not be shown publicly.

Filtered HTML

  • Allowed HTML tags: <h1> <pre> <br> <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type='1 A I'> <li> <dl> <dt> <dd> <h2 id='jump-*'> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.