[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slapd.d Config File

Ted Johnson wrote:
After about 150 hours of researching LDAP/OpenLDAP, I have finally come to the realization, among many others, that I need to build a slapd.d configuration file
That's supposed to be a directory, not a file.
, not a slapd.conf configuration file.
A slapd.conf is just fine. If you want to use the __new__ cn=config database, slapd or any other tool can generate it for you starting from slapd.conf, using simultaneously the -f and the -F switches.
There are differences, but the documentation I've read thus far unfortunately clouds the issues.
Maybe you didn't use the right documentation?
I have the following questions:

* Does someone out there in OpenLDAP-land have a slapd.d conf file they could share?
Try "slapd -f your-slapd.conf -F your-already-existing-empty-configuration-dir"
That would help me more than the rest of these questions.
* Do I want to include LDIF schema files, or SCHEMA schema files, or both?
See above
* Which format do I use below: A or B?
        A) include    /usr/share/openldap/schema/core.schema
        B) olcInclude    /usr/share/openldap/schema/core.schema
   Or is *this* correct?
        C) include: file:///usr/local/etc/openldap/schema/core.ldif
See above
* What is the difference between the attributeTypes/objectClasses in the *.schema files and the olcAttributeTypes/olcObjectClasses in the *.ldif files? What was the point in renaming them? To cut down on confusion? (I dare say it didn't.)
See above
* Do I still need an ldap.conf file?
ldap.conf never had anything to do with slapd, nor it starts now (with a __big__ exception: client-side features of slapd, like back-ldap/back-meta and slurpd/syncrepl always used and still use ldap.conf for SSL-related settings; there is work in this area to streamline things).
* Are the following still correct?
        pidfile        /var/run/ldap/slapd.pid
        argsfile    /var/run/ldap/slapd.args
        modulepath    /usr/lib/openldap
pam_ldap has never been a valid slapd.conf directive
        sasl-host ldap.2012.vi
        TLSRandFile            /dev/random
        TLSCipherSuite         HIGH:MEDIUM:+SSLv2
        TLSCertificateFile      /etc/ssl/openldap/ldap.pem
        TLSCertificateKeyFile   /etc/ssl/openldap/ldap.pem
        TLSCACertificatePath   /etc/ssl/openldap/
        TLSCACertificateFile    /etc/ssl/cacert.pem
        TLSCACertificateFile    /etc/ssl/openldap/ldap.pem
        TLSVerifyClient demand # ([never]|allow|try|demand)
a hash mark ('#') followed by text is interpreted as an argument to the command that starts the line, not as a comment (as I assume you mean it).
        loglevel 256
        database        bdb
        suffix        "dc=2012,dc=vi"
        rootdn        "cn=admin,dc=2012,dc=vi"
        directory    /var/lib/ldap
        index        objectClass                        eq,pres
        access: to dn.base="/var/lib/ldap" by root read
No colon (':') after "access" is allowed in the "access" access control directive
database monitor
The above seems to be a collection of partially incorrect slapd.conf statements. Provided you fix what's wrong, it should be fine to generate the cn=config database following indications above. Note that you don't have to generate the cn=config database unless you intend to use it, and I suggest you don't until you understand all the implications and its general usefulness. From your message, it appears you didn't understand it yet, and you got the false perception that the traditional way of configuring slapd is no longer valid, which is absolutely not true.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it