[Date Prev][Date Next]
Re: Slapd.d Config File
Ted Johnson wrote:
In my original mail I've never specified what path you were supposed to
find slapd in.
----- Original Message ----
From: Pierangelo Masarati <firstname.lastname@example.org>
To: Ted Johnson <email@example.com>
Sent: Sunday, October 15, 2006 5:28:09 PM
Subject: Re: Slapd.d Config File
Ted Johnson wrote:
> * Does someone out there in OpenLDAP-land have a slapd.d conf file
> they could share?
Try "/usr/local/libexec/slapd -f slapd.conf -F ./slapd.d
Where your binaries are located, and what path you use is not relevant
to this discussion.
Interesting. It complained there was no slapd binary.
Now, that worried me. I ran a search and found a binary here:I don't understand what "pam_ldap" may have to do with slapd's modules.
Also, I don't understand why you talk about modules if you don't have
any idea of what they're supposed to do. Note that, unless you build
slapd with module support, and you build components as modules, they
will be statically built into slapd. The fact that you use statically
built-in or run-time loaded modules, in any case, has nothing to do with
a general discussion on using cn=config; I suggest to keep the two
Now, since it wasn't in a bin dir, I didn't think that would work, but
I didn't think it would hurt anything either, so I ran your command
but with an absolute path to that binary, and violá! there were the files.
> * Are the following still correct?
> pidfile /var/run/ldap/slapd.pid
> argsfile /var/run/ldap/slapd.args
> modulepath /usr/lib/openldap
pam_ldap has never been a valid slapd.conf directive
How does one include modules, then?
Also, do you know of a good reference that would list all the modules
with which OpenLDAP works and a description of them? Googled and got zip.
The questions you just asked are OpenLDAP specific, and in fact you got
OpenLDAP specific answers (as good as mine can be, at least). I don't
see how that list could have helped you thru details of very recent
OpenLDAP development. I'm not saying you can't ask beginner's
questions; of course they're welcome as soon as they can lead to
improving your (and others') understanding of how things work. It seems
to me that starting with cn=config while you don't appear to have a
clear understanding of how OpenLDAP's slapd works sounds a bit too
ambitious. All in all, cn=config is a __very__ new feature. My point
is that there's tons of info out there about how to configure slapd via
slapd.conf(5), and yet too little about how to do it using cb=config
(and the most authoritative documentation for both is the Admin Guide
<http://www.openldap.org/doc/admin23/>). So I suggest you stick with
slapd.conf(5) by now; it's up to you to follow advice, though :).
> sasl-host ldap.2012.vi
> TLSRandFile /dev/random
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile /etc/ssl/openldap/ldap.pem
> TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem
> TLSCACertificatePath /etc/ssl/openldap/
> TLSCACertificateFile /etc/ssl/cacert.pem
> TLSCACertificateFile /etc/ssl/openldap/ldap.pem
> TLSVerifyClient demand # ([never]|allow|try|demand)
a hash mark ('#') followed by text is interpreted as an argument to the
command that starts the line, not as a comment (as I assume you mean it).
> loglevel 256
> database bdb
> suffix "dc=2012,dc=vi"
> rootdn "cn=admin,dc=2012,dc=vi"
> directory /var/lib/ldap
> index objectClass eq,pres
> access: to dn.base="/var/lib/ldap" by root read
No colon (':') after "access" is allowed in the "access" access control
> database monitor
The above seems to be a collection of partially incorrect slapd.conf
statements. Provided you fix what's wrong, it should be fine to
generate the cn=config database following indications above. Note that
you don't have to generate the cn=config database unless you intend to
use it, and I suggest you don't until you understand all the
implications and its general usefulness. From your message, it appears
you didn't understand it yet, and you got the false perception that the
traditional way of configuring slapd is no longer valid, which is
absolutely not true.
Well, I was just following directions ;) ***This list*** told me to
ask my beginner questions at firstname.lastname@example.org.
*That* list recommended all sorts of material to study. And there is a
__lot__ of confusion created from following these divergent
suggestions. Unfortunately, the documentation on openldap.org is
__very__limited__ and needs to be supplemented.
The project is open; the FAQ
<http://www.openldap.org/faq/data/cache/1.html> is interactive, and
<http://www.openldap.org/devel/contributing.html> details how to
contribute, if you think the documentation needs to be supplemented.
Saying that may sound a bit offensive to all persons that spent their
spare time in writing a fair amount of documentation (> 3 MB of man
pages; 16 chapters of Admin Guide; ~2000 nodes of FAQ; ...). If you can
suggest specific improvements to specific portions of documentation,
feel free to post them; if all you have to say is "__very__limited__",
well... (silently counting to a billion...)
Maybe easy for you guys, but I live on top of a mountain in the middle
of nowhere in the Dominican Republic with my trusty satellite
dish...and getting books here via Amazon takes longer than you'd think
and costs a fortune. So, I have to rely on what's available
online...and in this case, it's been disappointing, to say the least.
All documentation on OpenLDAP.org is plain HTML or txt (man pages), so
downloading it shouldn't be a big deal. Note that all the indications
you got so far from me have been taken from the Admin Guide
<http://www.openldap.org/doc/admin23/>. I don't know what documentation
you read so far, but if you didn't read (and understand) the Admin Guide
I strongly urge you to do so. Man pages like slapd.conf(5),
slapd.access(5) and backend (and overlay) specific pages, like
slapd-bdb(5) may be of help in understanding the details of each statement.
Ing. Pierangelo Masarati
OpenLDAP Core Team
Via Dossi, 8 - 27100 Pavia - ITALIA