Discussion:
slapd.ldif beginner
Sonny Taberman
2014-02-19 17:29:34 UTC
Permalink
Hi all ldap people.
I have been trying this new way of configuring a slapd server from scratch. Sorry to say total failure on my side. I'm not sure where to begin.
I have built a linux system from LFS Linux from scratch. So I want to install openldap from source, so far no problems.
When my installation is done i have a directory in /etc/ named openldap and the content inside is this:

DB_CONFIG.example
ldap.conf
ldap.conf.default
schema
slapd.conf
slapd.conf.default
slapd.ldif
slapd.ldif.default

To start configure my slapd using slapd.conf there is no problem. Actually I'm beginning to think I'm pretty good att this. :-)
But then I try to read all I can find about configure a new slapd using slapd.ldif, not that easy.
I understand that I need a new directory named slapd.d. After that I have no clue.
I guess something is hardcoded in slapd but what am I supposed to do next?
How can i communicate with slapd ? I guess I have to define a password somewhere for a manager or administrator but how and where?
Is there a tutorial somwhere ?
All I need is how to start. :-)

best regards

Sonny
Peter Gietz
2014-02-19 18:43:05 UTC
Permalink
A pragmatic approach is to configure as much as possible in slapd.conf
and then migrate that into the cn=config structure by using slaptest:

slapdtest -f <path and name of the slapd.conf-file> -F <directory to
store the LDIF-like configuration>


In case you are in the right directory and you are using the standard
file name it is just:

slaptest -f slapd.conf -F slapd.d

After that you can start the slapd and do more configuration dynamically
on the ldap data, e.g. with Apache Directory Studio and a connection
specified to use basedn cn=config.

Hope this helps.

Cheers,

Peter
Post by Sonny Taberman
Hi all ldap people.
I have been trying this new way of configuring a slapd server from scratch. Sorry to say total failure on my side. I'm not sure where to begin.
I have built a linux system from LFS Linux from scratch. So I want to install openldap from source, so far no problems.
DB_CONFIG.example
ldap.conf
ldap.conf.default
schema
slapd.conf
slapd.conf.default
slapd.ldif
slapd.ldif.default
To start configure my slapd using slapd.conf there is no problem. Actually I'm beginning to think I'm pretty good att this. :-)
But then I try to read all I can find about configure a new slapd using slapd.ldif, not that easy.
I understand that I need a new directory named slapd.d. After that I have no clue.
I guess something is hardcoded in slapd but what am I supposed to do next?
How can i communicate with slapd ? I guess I have to define a password somewhere for a manager or administrator but how and where?
Is there a tutorial somwhere ?
All I need is how to start. :-)
best regards
Sonny
--
Peter Gietz, CEO

DAASI International GmbH
Europaplatz 3
D-72072 Tübingen
Germany

phone: +49 7071 407109-0
fax: +49 7071 407109-9
email: ***@daasi.de
web: www.daasi.de

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz
Dan White
2014-02-19 19:07:24 UTC
Permalink
Post by Sonny Taberman
Hi all ldap people.
I have been trying this new way of configuring a slapd server from scratch. Sorry to say total failure on my side. I'm not sure where to begin.
I have built a linux system from LFS Linux from scratch. So I want to install openldap from source, so far no problems.
DB_CONFIG.example
ldap.conf
ldap.conf.default
schema
slapd.conf
slapd.conf.default
slapd.ldif
slapd.ldif.default
To start configure my slapd using slapd.conf there is no problem. Actually I'm beginning to think I'm pretty good att this. :-)
But then I try to read all I can find about configure a new slapd using slapd.ldif, not that easy.
I understand that I need a new directory named slapd.d. After that I have no clue.
I guess something is hardcoded in slapd but what am I supposed to do next?
How can i communicate with slapd ? I guess I have to define a password somewhere for a manager or administrator but how and where?
Is there a tutorial somwhere ?
All I need is how to start. :-)
See slapd(8), slaptest(5), slapd-config(5), ldap.conf(5), and chapter 5 of
the OpenLDAP Software 2.4 Administrator's Guide.

In short:

mkdir <path/to>/slapd.d
chown user.group <path/to>/slapd.d
chmod ? <path/to>/slapd.d
# and assuming you want to bootstrap using a slapd.conf:
slaptest -f <path/to>slapd.conf -F <path/to>/slapd.d

Create an init script that starts slapd with appropriate options, e.g.:

/usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d

It is not recommended to modify files underneath <path/to>/slapd.conf with
a text editor, which you may be tempted to do. Use ldapadd/ldapmodify to
make modifications, or use slapcat -n0 to create a portable representation
of your config.

Search for documentation or discussion of SASL EXTERNAL authentication over
ldapi:/// (using olcAuthzRegexp), to perform administrator (rootDN)
changes.
--
Dan White
Sonny Taberman
2014-03-01 09:37:48 UTC
Permalink
Hi Dan White and Peter Gietz.

Thank's for your kind pointers in the right direction.
Now I finally got it. :-)

My goal was to set up openldap using only the dynamic configuration style.
So I had to start from absolutely zero, everything else is considered cheating. :-)

One of the first obstacles was an error telling me that my database did not accept slapadd.
But it seems this error is not accurate because if I start by using a config.ldif that’s empty I get the same error.
Finally I figured out with the help of some logic of my own and using man pages for openldap that I had to be sure to set the correct user to my data directory as well as my /etc/openldap/*

Another problem loading my config.ldif is the slapadd command.
In several places the syntax was like this:
slapadd -d -1 -F /etc/openldap/slapd.d -F /etc/openldap/config.ldif
That is wrong, the correct syntax is like this:
slapadd -d -1 -F /etc/openldap/slapd.d -n 0 -l /etc/openldap/config.ldif

Next problem that showed up was hash sign #.
For some reason I had put # on line 1 in my config.ldif. This is a no no it turns out.
I also did use a line with only one # between the different blocks in my config, that also gave me problems.
So after removing all # from my config my config seemed to work but slapd still would not start.
I finally found out that the schema block was special.
Special in that regard that I had to have an empty line between schema block and the include command.

By the way, It seems ok to have a line start with a # then space then some text without getting in to trouble. Like this.
# This is a comment

So anyway this is my config.ldif.

dn: cn=config
objectClass: olcGlobal
cn: config
olcPidFile: /run/slapd.pid
olcArgsFile: /run/slapd.args
olcAttributeOptions: x-hidden lang-

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/openldap
olcModuleload: back_bdb.la
olcModuleload: back_hdb.la
olcModuleload: back_ldap.la

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///etc/openldap/schema/core.ldif

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to attrs=name;x-hidden by * =cs
olcAccess: to attrs=userPassword by * auth
olcAccess: to * by * read

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootPW: secret
olcAccess: to * by * none

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=example,dc=intra
olcDbDirectory: /srv/ldap/openldap-data
olcDbIndex: objectClass eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub

So thank’s for your help and I my self consider this problem solved.

Regards
Sonny
Post by Dan White
Post by Sonny Taberman
Hi all ldap people.
I have been trying this new way of configuring a slapd server from scratch. Sorry to say total failure on my side. I'm not sure where to begin.
I have built a linux system from LFS Linux from scratch. So I want to install openldap from source, so far no problems.
DB_CONFIG.example
ldap.conf
ldap.conf.default
schema
slapd.conf
slapd.conf.default
slapd.ldif
slapd.ldif.default
To start configure my slapd using slapd.conf there is no problem. Actually I'm beginning to think I'm pretty good att this. :-)
But then I try to read all I can find about configure a new slapd using slapd.ldif, not that easy.
I understand that I need a new directory named slapd.d. After that I have no clue.
I guess something is hardcoded in slapd but what am I supposed to do next?
How can i communicate with slapd ? I guess I have to define a password somewhere for a manager or administrator but how and where?
Is there a tutorial somwhere ?
All I need is how to start. :-)
See slapd(8), slaptest(5), slapd-config(5), ldap.conf(5), and chapter 5 of
the OpenLDAP Software 2.4 Administrator's Guide.
mkdir <path/to>/slapd.d
chown user.group <path/to>/slapd.d
chmod ? <path/to>/slapd.d
slaptest -f <path/to>slapd.conf -F <path/to>/slapd.d
/usr/sbin/slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
It is not recommended to modify files underneath <path/to>/slapd.conf with
a text editor, which you may be tempted to do. Use ldapadd/ldapmodify to
make modifications, or use slapcat -n0 to create a portable representation
of your config.
Search for documentation or discussion of SASL EXTERNAL authentication over
ldapi:/// (using olcAuthzRegexp), to perform administrator (rootDN)
changes.
--
Dan White
Loading...