OpenLDAP 2.4.x with `cn=config’ configuration

Publié le 17 février 2011 par me

Today I upgraded an OpenLDAP 2.3.x running on an aging custom Linux distro to a brand new Ubuntu 10.04 LTS with OpenLDAP 2.4.x.

I was surprised by the lack of a `slapd.conf’ config file, which is replaced by a `cn=config’ subdir, with a bunch of .ldif files in it.

You’ll find the documentation for this new config layout there : http://www.openldap.org/doc/admin24/slapdconf2.html

This is in fact a rewrite of the usual`slapd.conf’ directives with a LDIF notation.

So here is a quick overview to create the first database.

– Load de bdb backend module:

# cat <<EOF > /etc/ldap/slapd.d/cn=config/cn=module.ldif
dn: cn=module
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_bdb

– Declare and prepare your database:

# mkdir -p /var/lib/ldap/dc=example,dc=net
# chown openldap: /var/lib/ldap/dc=example,dc=net

# cat <<EOF > /etc/ldap/slapd.d/cn=config/olcDatabase={0}bdb.ldif
dn: olcDatabase=bdb
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
olcDbDirectory: /var/lib/ldap/dc=example,dc=net
olcSuffix: dc=example,dc=net
olcRootDN: cn=Manager,dc=example,dc=net
olcRootPW: {SSHA}FoViJYh9j7H4vw9ELVXzhKuXEMJwXOzJ
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,sn,cn,mail,givenName eq,pres,sub
olcAccess: to dn.regex="^ou=([^,]*),dc=people,(.*)$"
  by dn.regex="uid=$1,dc=users,$2" read
  by group.expand="cn=$1,dc=people,$2" read by * none
olcAccess: to dn.regex="^uid.*,ou=([^,]*),dc=people,(.*)$"
  by dn.regex="uid=$1,dc=users,$2" read
  by group.expand="cn=$1,dc=people,$2" read
  by * none
olcAccess: to attrs=userPassword
  by anonymous auth
  by self read
  by * none
olcAccess: to *
  by dn="cn=Manager,dc=example,dc=net" write
  by anonymous read
  by * read

– Activate the « cosine », « nis » and « inetorgperson » schema:

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

– Check your configuration by running `slapd’ manually with debug:

# slapd -d 3 -h 'ldap:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d/

– Dump your data on the old server with `slapcat’:

# slapcat -b dc=example,dc=net -l dump.ldif

– Load the dumped data on the new server with `slapadd’:

# slapadd -b dc=example,dc=net -l dump.ldif

– Restart LDAP on new server:

# /etc/init.d/slapd start

– Do a `ldapsearch’ to test that everything is present:

# ldapsearch -H ldapi:/// -b dc=example,dc=net -D cn=Manager,dc=example,dc=net -W -x
Ce contenu a été publié dans system. Vous pouvez le mettre en favoris avec ce permalien.

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Code Anti-spam

*