slapd.conf
Configuration file
The configuration forslapd
and slurpd
requires a little bit of care. First get slapd
working before moving on to slurpd
.
(slurpd
should be straight forward once slapd
is running)
You need to restart slapd
and slurpd
each time you make changes to the slapd.conf
. I have found that the first call to the LDAP server after a restart does not return any results. After that things work fine. (This might save you time trying to chase up a "misconfiguration".)
Passwords
The root password (rootpw
) can be stored in clear text or hashed within slapd.conf
. It is a good idea to hash the password to protect it from probing eyes.
Use slappasswd
to do this. It has the option of several hashing algorithms. Check the slappasswd (8C)
manpage.
[lance@ldap]$ slappasswd -h {md5}
This will create the hashed password that you can then copy to slapd.conf
.
The credentials for the replication server must be held as clear text in the replica
directive. Thus it is a good idea to have a separate password for each server. (You did already didn't you?)
Master LDAP server
First define where the replication server is with thereplica
directive. The binddn
should be the same as the updatedn
on the replication server. The credentials cannot be a hashed password.
replica host=ldap2.your.site.com:389 binddn="cn=Manager,dc=your,dc=site,dc=com" bindmethod=simple credentials=replication_password
The second directive replogfile
simply defines the location of the file that holds changes to the master server until they are propagated to the replication (slave) server.
replogfile /usr/local/var/openldap-slurp/replication.log
slurpd
automatically creates a directory /usr/local/var/openldap-slurp
so I decided to place the replogfile in there.
Replication (Slave) LDAP server
updatedn "cn=Manager,dc=your,dc=site,dc=com"
Useful tools
slapcat
andslapadd
are used to manually transfer data between ldap servers. It is advisable to shut down slapd so that updates to the database are stopped.- To dump the complete contents of an ldap server out into an ldif file use
slapcat -l file.ldif
- Use
slapadd -l file.ldif
to upload a replica ldap server (wherefile.ldif
is the file created byslapadd
.)
Some notes
When adding an index to slapd.conf, make sure you rebuild the index usingslapindex
.
- Edit slapd.conf and add the index.
- From the command line run
slapindex
. - Restart slapd
uid
and received the error "su: user l.rathbone does not exist" when I tried to su into a machine with an LDAP account. The index and thus the user did not exist!
Author: Lance Rathbone
Last modified: Wednesday June 18, 2008
Home