slapd.conf

Configuration file

The configuration for slapd and slurpd requires a little bit of care. First get slapd working before moving on to slurpd. (slurpd should be straight forward once slapd is running)

You need to restart slapd and slurpd each time you make changes to the slapd.conf. I have found that the first call to the LDAP server after a restart does not return any results. After that things work fine. (This might save you time trying to chase up a "misconfiguration".)

Passwords

The root password (rootpw) can be stored in clear text or hashed within slapd.conf. It is a good idea to hash the password to protect it from probing eyes. Use slappasswd to do this. It has the option of several hashing algorithms. Check the slappasswd (8C) manpage.

[lance@ldap]$ slappasswd -h {md5}


This will create the hashed password that you can then copy to slapd.conf.

The credentials for the replication server must be held as clear text in the replica directive. Thus it is a good idea to have a separate password for each server. (You did already didn't you?)

Master LDAP server

First define where the replication server is with the replica directive. The binddn should be the same as the updatedn on the replication server. The credentials cannot be a hashed password.

replica host=ldap2.your.site.com:389 binddn="cn=Manager,dc=your,dc=site,dc=com" bindmethod=simple credentials=replication_password


The second directive replogfile simply defines the location of the file that holds changes to the master server until they are propagated to the replication (slave) server.

replogfile /usr/local/var/openldap-slurp/replication.log


slurpd automatically creates a directory /usr/local/var/openldap-slurp so I decided to place the replogfile in there.

Replication (Slave) LDAP server

updatedn "cn=Manager,dc=your,dc=site,dc=com"

Useful tools

• slapcat and slapadd are used to manually transfer data between ldap servers. It is advisable to shut down slapd so that updates to the database are stopped.
• To dump the complete contents of an ldap server out into an ldif file use slapcat -l file.ldif
• Use slapadd -l file.ldif to upload a replica ldap server (where file.ldif is the file created by slapadd.)

Some notes

When adding an index to slapd.conf, make sure you rebuild the index using slapindex.

1. Edit slapd.conf and add the index.
2. From the command line run slapindex.
3. Restart slapd

I found this out after putting an index on uid and received the error "su: user l.rathbone does not exist" when I tried to su into a machine with an LDAP account. The index and thus the user did not exist!

---

Author: Lance Rathbone
Last modified: Wednesday June 18, 2008
Home