This page describes how to convert OpenLDAP from a configuration file to the config backend, where the configuration is stored in LDAP itself.
You could also create a config from scratch and import it via LDIF files.
Note: I couldn't get it to work completely. Incredible how hard this is!
The official documentation for all this is slapd-config(5) and the
OpenLDAP Administrator's Guide, but
LDAP for Rocket Scientists (ZYTRAX.COM) is much better!
Conversion
/etc/init.d/slapd stop
- add database config to slapd.conf
- delete the suffix. cn=config is implicit.
- change your rootdn (manager account) to something below cn=config, e.g.
rootdn "cn=admin,cn=config
- create the directory slapd.d below the OpenLDAP configuration directory
- convert the configuration with
slaptest -F slapd.d
- change user and group so that the OpenLDAP daemon can access everything
chown -R ldap:ldap slapd.d
- move the configuration file out of the way
/etc/init.d/slapd start
The
Rocket Scientists have an example
slapd.conf file for conversion.
Unfortunately they only hint that existing settings can be automatically converted. But if I try to add existing settings (like my database definition)
OpenLDAP complains.
Start OpenLDAP with -d 4095 to see errors!
Testing
The configuration can be accessed by giving a search base of “
cn=config”.
With the following
~/.ldaprc
host apfelboymchen.dol
binddn cn=admin,cn=config
base cn=config
ldapsearch -x -W
should work.
If files under
/etc/openldap/slapd.d/ exists, all utilities will automatically assume a config backend based configuration, but will use
/etc/openldap/slapd.conf otherwise.
Possible errors
slaptest conversion
<rootpw> can only be set when rootdn is under suffix
What this error means with “under” is the directory structure, not the
sldapd.conf line order!
The root dn must be under
cn=config, as described above.
Generally spoken, the value of the setting rootdn must (LDAP-wise) be under the value of suffix.
db_open(/var/lib/openldap-data/id2entry.bdb) failed
The full message is “
hdb_db_open: database "dc=apfelboymchen,dc=dol": db_open(/var/lib/openldap-data/id2entry.bdb) failed: No such file or directory (2)..
The conversion won't work with an empty database directory. You have to start the server at least once with a slapd.conf configuration to create some initial files.
The conversion went fine, but cn=config can't be found
If
slapcat -b cn=config
works it's a client configuration error. Or maybe you did specify the wrong
rootdn? Compare with
slapcat -b cn=config | grep ^olcRoot
.
How to use a real database
So, i have a config database now. Great! But I also wanted to use LDAP for some real data. That was easy before – a short ldif defining an
organization was all that was needed. Now a database definition (backend type, rootdn, suffix etc.) must be created first in the config
database, for which I couldn't find a working example!
str2entry: invalid value for attributeType olcSuffix #0 (syntax 1.3.6.1.4.1.1466.115.121.1.12)
I gave up on the automatic conversion to be able to try out the
example from the man page,
which adds the config database via ldif/slapadd instead of the converstion with
slaptest.
Not surprisingly it doesn't work, as
others also found out.
Licensed under the Creative Commons Attribution-Share Alike 3.0 License.