Skip to content

OpenLDAP 2.4 config

The folks running openldap made some radical changes in how the backend conf is setup starting in 2.3, and now set as default in 2.4. The configuration and longevity of Centos 5 meant that a typical installation didn’t see that change as the Centos 5 packages iirc were still 2.2, and in any case still provided the  legacy /etc/openldap/slapd.conf file in lieu of the cn=config data structure.

While the specifications for the structure, and the parameters are very well documented, it’s a high-level abstract, and no actual implementation guides are directly given. That’s what this HOWTO note aims to address.

  • /etc/openldap/slapd.d/cn=config.ldif
    This file specifies the paths to the various conf locations and system paths.
  • /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif
    This file is missing an olcRootPW (by design), you will need to add it and restart slapd.
  • /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
    This is a >runtime< sample DB, but this is a runtime ldif not a design time. So you can’t readily clone it to create a new  root DSE.

DO NOT MAKE ANY EDITS TO FILES IN /etc/openldap/slapd.d/cn=config/* (other than olcRootPW if you can’t figure out the ldapmodify context) OR ADD ANY FILES THERE. BAD THINGS HAPPEN, MOST slaptest ERRORS RESULT FROM ‘GOOD’ FILES BEING >PLACED< THERE.

    1. Make a  new ldif file elsewhere, should look like this:
# Create directory database
#This DN is probably bad, I think it shares the context with anything else named similarly.
dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
olcSuffix: dc=contoso,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=manager,dc=contoso,dc=com
# cleartext password to load, is stored encrypted.
olcRootPW: trolololololololololo
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
# Allow users to change their own password
# Allow anonymous to authenticate against the password
# Allow admin to change anyone’s password
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by dn.base=”cn=manager,dc=contoso,dc=com” write
by * none
# Allow users to change their own record
# Allow anyone to read directory
olcAccess: to *
by self write
by dn.base=”cn=manager,dc= contoso ,dc=com” write
by * read
  1. Now load the file using something like this:
    ldapadd -h localhost -D “cn=config” -W -f /path/new-dse.ldif
  2. You have a new DSE if the load is successful, but no root yet. Create a 2nd ldif like this:
    dn: dc=contoso,dc=com
    objectClass: domain
    objectClass: top
    dc: contoso
  3. Now you have a domain in your DSE that you can run ops in in your LDAP admin tool like ApacheDS.