OpenLDAP 2.4

From Notes

Jump to: navigation, search

OpenLDAP 2.4 provides some great new features over 2.3. Notable among them are the ability to store configuration data in the directory and change values on the fly.


Adding a Schema

Converting slapd.conf to a Directory Based Configuration

OpenLDAP 2.4 maintains an LDIF-based online directory in /etc/openldap/slapd.d/ (or otherwise specified location). In order to use this, you must seed the directory one of two ways. One way is to convert an existing slapd.conf file, which is illustrated below. Note that to access the newly minted cn=config, you should create an entry in your slapd.conf to provide a root password to this entry, or otherwise provide a useful ACL/ACI which gives a user access.

To convert a standard slapd.conf file to the new format, issue the following command (re: man slapd-config): 

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

Note that the directory /etc/openldap/slapd.d must exist prior to this command successfully completing.


After importing the config file, start the OpenLDAP server:

  • /etc/init.d/ldap start

Verify that the server is running: 

  • ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts


After validating that the server will start and stop, import some data with an LDIF file:

  • slapadd -l <file>.ldif

When attempting this, I get an error about an invalid attribute for an objectclass: 

# slapadd -l slapcat.out 
str2entry: invalid value for attributeType objectClass #1 (syntax 1.3.6.1.4.1.1466.115.121.1.38)
slapadd: could not parse entry (line=1)
  • Missing a schema, had to add cosine schema to get this to work.

When attempting to add the schema ldif, I get this error: 

# ldapadd -x -H ldap://locahost -D "cn=manager,dc=example,dc=org" -W -f core.ldif 
Enter LDAP Password: 
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I switched back to using the slapd.conf file to get this to work, and emptying out the /var/lib/openldap-data directory, reattempting the slapadd, I get the following: 

# slapadd -l backup.ldif
bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/openldap-data: (2).
Expect poor performance for suffix "dc=example,dc=org".
<= str2entry: str2ad(pwdHistory): attribute type undefined
slapadd: could not parse entry (line=79)
  • Missing ppolicy overlay.


Adding some schemas: 

# ldapadd -x -H ldap://localhost/ -D "cn=config" -W -f schema/archive/cosine.ldif 
Enter LDAP Password: 
adding new entry "cn=cosine,cn=schema,cn=config"

# ldapadd -x -H ldap://localhost/ -D "cn=config" -W -f schema/archive/inetorgperson.ldif 
Enter LDAP Password: 
adding new entry "cn=inetorgperson,cn=schema,cn=config"

# ldapadd -x -H ldap://localhost/ -D "cn=config" -W -f schema/archive/nis.ldif 
Enter LDAP Password: 
adding new entry "cn=nis,cn=schema,cn=config"

# ldapadd -x -H ldap://localhost/ -D "cn=config" -W -f schema/archive/openldap.ldif 
Enter LDAP Password: 
adding new entry "cn=openldap,cn=schema,cn=config"



Note that you cannot (as of version 2.4.7) use slapindex to generate the cn=config configuration, use slaptest: 

# cd /etc/openldap
# mkdir slapd.d
# /usr/sbin/slapindex -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
# echo $?
0

Program exits without error.

# ls /etc/openldap/slapd.d

Subsequently, running this command immediately after generates the appropriate
cn=config:

# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded
# ll slapd.d
total 8
drwxr-x--- 4 root root 4096 Jan 10 13:07 cn=config
-rw------- 1 root root 1097 Jan 10 13:07 cn=config.ldif

I have filed an ITS with the OpenLDAP project for this (ITS#5321).

Querying cn=config

A sample query: 

ldapsearch -x -H ldap://localhost/ -D "cn=config" -b 'cn=config' -W cn=config
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: cn=config
# requesting: ALL
#

# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/openldap/slapd.conf.WORKING
olcConfigDir: /etc/openldap/slapd.d
olcArgsFile: /var/run/openldap/run/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcLocalSSF: 71
olcLogLevel: Any
olcPidFile: /var/run/openldap/run/slapd.pid
olcReadOnly: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcToolThreads: 1

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



Query cn=schema: 

ldapsearch -x -H ldap://localhost/ -D "cn=config" -b 'cn=schema,cn=config' -W



Query cn=config for olcDatabase entries:

Note that this searches for the second database, which is of type bdb. 

ldapsearch -x -H ldap://localhost/ -D "cn=config" -b 'olcDatabase={1}bdb,cn=config' -W -LLL

References

Retrieved from "http://www.itsecureadmin.com/wiki/index.php/OpenLDAP_2.4"
Personal tools