This page describes how to convert OpenLDAP from a configuration file to the config backend, where the configuration is stored in LDAP itself.
You could also create a config from scratch and import it via LDIF files.
Note: I couldn't get it to work completely. Incredible how hard this is!
The official documentation for all this is slapd-config(5) and the
OpenLDAP Administrator's Guide, but
LDAP for Rocket Scientists (ZYTRAX.COM) is much better!
- add database config to slapd.conf
- delete the suffix. cn=config is implicit.
- change your rootdn (manager account) to something below cn=config, e.g.
- create the directory slapd.d below the OpenLDAP configuration directory
- convert the configuration with
slaptest -F slapd.d
- change user and group so that the OpenLDAP daemon can access everything
chown -R ldap:ldap slapd.d
- move the configuration file out of the way
The Rocket Scientists
have an example slapd.conf
file for conversion.
Unfortunately they only hint that existing settings can be automatically converted. But if I try to add existing settings (like my database definition)
Start OpenLDAP with -d 4095 to see errors!
The configuration can be accessed by giving a search base of “cn=config
With the following ~/.ldaprc
ldapsearch -x -W
If files under /etc/openldap/slapd.d/
exists, all utilities will automatically assume a config backend based configuration, but will use /etc/openldap/slapd.conf
<rootpw> can only be set when rootdn is under suffix
What this error means with “under” is the directory structure, not the sldapd.conf
The root dn must be under cn=config
, as described above.
Generally spoken, the value of the setting rootdn must (LDAP-wise) be under the value of suffix.
The full message is “hdb_db_open: database "dc=apfelboymchen,dc=dol": db_open(/var/lib/openldap-data/id2entry.bdb) failed: No such file or directory (2).
The conversion won't work with an empty database directory. You have to start the server at least once with a slapd.conf configuration to create some initial files.
The conversion went fine, but cn=config can't be found
slapcat -b cn=config
works it's a client configuration error. Or maybe you did specify the wrong rootdn
? Compare with
slapcat -b cn=config | grep ^olcRoot
How to use a real database
So, i have a config database now. Great! But I also wanted to use LDAP for some real data. That was easy before – a short ldif defining an
organization was all that was needed. Now a database definition (backend type, rootdn, suffix etc.) must be created first in the config
database, for which I couldn't find a working example!
str2entry: invalid value for attributeType olcSuffix #0 (syntax 22.214.171.124.4.1.14126.96.36.199.12)
I gave up on the automatic conversion to be able to try out the example from the man page
which adds the config database via ldif/slapadd instead of the converstion with slaptest
Not surprisingly it doesn't work, as others also found out
Licensed under the Creative Commons Attribution-Share Alike 3.0 License.