This page describes how to convert OpenLDAP from a configuration file to the config backend, where the configuration is stored in LDAP itself. You could also create a config from scratch and import it via LDIF files.

Note: I couldn't get it to work completely. Incredible how hard this is!

The official documentation for all this is slapd-config(5) and the OpenLDAP Administrator's Guide, but LDAP for Rocket Scientists (ZYTRAX.COM) is much better!

Conversion

• /etc/init.d/slapd stop
• add database config to slapd.conf
• delete the suffix. cn=config is implicit.
• change your rootdn (manager account) to something below cn=config, e.g.
  rootdn "cn=admin,cn=config
• create the directory slapd.d below the OpenLDAP configuration directory
• convert the configuration with slaptest -F slapd.d
• change user and group so that the OpenLDAP daemon can access everything
  chown -R ldap:ldap slapd.d
• move the configuration file out of the way
• /etc/init.d/slapd start

The Rocket Scientists have an example slapd.conf file for conversion. Unfortunately they only hint that existing settings can be automatically converted. But if I try to add existing settings (like my database definition) OpenLDAP complains.

Start OpenLDAP with -d 4095 to see errors!

Testing

The configuration can be accessed by giving a search base of “cn=config”. With the following ~/.ldaprc

host    apfelboymchen.dol
binddn  cn=admin,cn=config
base    cn=config

ldapsearch -x -W should work. If files under /etc/openldap/slapd.d/ exists, all utilities will automatically assume a config backend based configuration, but will use /etc/openldap/slapd.conf otherwise.

Possible errors

slaptest conversion

<rootpw> can only be set when rootdn is under suffix

What this error means with “under” is the directory structure, not the sldapd.conf line order! The root dn must be under cn=config, as described above.

Generally spoken, the value of the setting rootdn must (LDAP-wise) be under the value of suffix.

db_open(/var/lib/openldap-data/id2entry.bdb) failed

The full message is “hdb_db_open: database "dc=apfelboymchen,dc=dol": db_open(/var/lib/openldap-data/id2entry.bdb) failed: No such file or directory (2)..

The conversion won't work with an empty database directory. You have to start the server at least once with a slapd.conf configuration to create some initial files.

The conversion went fine, but cn=config can't be found

If slapcat -b cn=config works it's a client configuration error. Or maybe you did specify the wrong rootdn? Compare with slapcat -b cn=config | grep ^olcRoot.

How to use a real database

So, i have a config database now. Great! But I also wanted to use LDAP for some real data. That was easy before – a short ldif defining an organization was all that was needed. Now a database definition (backend type, rootdn, suffix etc.) must be created first in the config database, for which I couldn't find a working example!

str2entry: invalid value for attributeType olcSuffix #0 (syntax 1.3.6.1.4.1.1466.115.121.1.12)

I gave up on the automatic conversion to be able to try out the example from the man page, which adds the config database via ldif/slapadd instead of the converstion with slaptest. Not surprisingly it doesn't work, as others also found out.

Licensed under the Creative Commons Attribution-Share Alike 3.0 License.