OpenLdap: Switch to dynamic config backend (cn=config)

From Zarafa wiki

Revision as of 12:18, 23 June 2010 by Ddebyttere (Talk | contribs)
Jump to: navigation, search

Note: for a full how to on setting up LDAP with cn=config please refer to

Since openldap 2.3 openldap has the posibility to store the configuration as ldif entries. Openldap will still handle slapd.conf if you choose to use that. I was testing on Fedora 12, and when I installed openldap I noticed it defaulted to the new way of storing the config options (with ldif entries).

As I told earlier, you are still able to use the old way. But if you want to use the new way this document might come in handy. The new way of storing config options has certain advantages above the old way. E.g.: If you wanted to add a schema in the old way, you had to change slapd.conf, add the schema and then restart slapd, in very large environments this process can take a long time. With the new way openldap provides a means to do all this without restarting slapd.

This document will describe how to convert schema files to ldif files which can then be added to your openldap database.


Install openldap

Install Openldap

Install the openldap server however you like.

yum install openldap-servers
apt-get install slapd

Add or Change password of RootDN

  • If you want to add or change the password of the cn=admin,cn=config RootDN, you must edit the file:
  • Put in the olcRootPW entry below olcRootDN:
olcRootPW: config

Now the password is "config" for cn=admin,cn=config

  • Restart slapd after changing a RootPW like this.

Change Suffix

The default suffix for openldap is you domainname. This paragraph will describe howto change the default suffix.

Did not have the time yet to find out how to do this through ldifs. It should be possible to create new suffixes with ldifs.

I just changed it in the following way:

  • change to directory cn=config (directory may change per distribution)
cd /etc/ldap/slapd.d/cn=config
  • Open the file "olcDatabase={0}config.ldif" and change the following entries:
  • Open the file "olcDatabase\=\{2\}monitor.ldif" and change the following entry:
  • Check all the files in the directory by doing a grep on the old suffix on all the files
  • Restart slapd after changing the suffix in this way

Convert schema files for import

If you want to add schemas to your openldap, you will need to convert the schema files to ldif files.

  • Create a file called schema_convert.conf
  • Add the schema files you need to this file, e.g.:
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
include         /etc/openldap/schema/zarafa.schema
  • Create a directory /tmp/ldif_output
mkdir /tmp/ldif_output
  • Run slaptest to convert the schemas:
slaptest -f schema_convert.conf -F /tmp/ldif_output
  • Edit the generated /tmp/ldif_output/cn=config/cn=schema/cn={xx}[scema].ldif and change the lines at the top of the file (Remove the {xx} things, make it look like the following):
dn: cn=zarafa,cn=schema,cn=config
cn: zarafa
  • And Remove the following lines at the bottom of that file:
structuralObjectClass: olcSchemaConfig
entryUUID: 506bb32c-c232-102e-81c9-e11e06f59dd0
creatorsName: cn=config
createTimestamp: 20100312145015Z
entryCSN: 20100312145015.702589Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20100312145015Z
  • If running SELinux then disable SELinux, or fix SELinux so slapd can write in cn=config subdirs
  • Finally, using the ldapadd utility, add the new schema to the directory:
ldapadd -x -D "cn=admin,cn=config" -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{12\}zarafa.ldif

Cloning from a Slapcat export

Sometimes you need to clone an openldap database which was exported with slapcat. With this new way openldap stores it's config, you don't have a slapd.conf, so slapadd does not know what to do, and which schemas are available.

On fedora 12 openldap installs a slapd.conf.bak which you can use to add your schemas. If you don't have a slapd.conf.bak, just create your own slapd.conf.bak, and configure it with the proper suffix.

When you have a good slap.conf.bak, you will be able to use slapadd:

slapadd -f slapd.conf.bak -l [ldif_file]
Personal tools