OpenLDAP Faq-O-Matic : OpenLDAP Software FAQ : Configuration : SLAPD Configuration : Backends : The BDB/HDB backend (How do I setup/configure back-bdb/back-hdb?) :
How do I setup the BDB backend?The Berkeley Database backend is the prefered database backend to use with OpenLDAP. However, it requires a lot of (correct) configuration in order for the backend to perform well. Below are the configuration options I've found to work. I've broken up my configuration into three sections
Basic Configuration
The basic configuration options the should be defined for the bdb backend such as the base naming context, root distinguished name and password, caching and checkpointing.
Index Configuration
The indexes that need to be configured to use LDAP as a replacement for NIS as well as for common usage.
Basic BDB Backend Configuration
#
# Base Database Type and Domain
#
database bdb
suffix "dc=somedomain,dc=com"
#
# Distinguished Name allowed complete
# access to database backend.
#
# This section should be removed after
# the initial databases have been
# created and loaded.
#
rootdn "cn=Manager,dc=somedomain,dc=com"
rootpw {CRYPT}<some crypt password>
#
# Database Directory
#
directory /opt/openldap/var/bdb-data
#
# Set the entry cache size to 5000.
#
cachesize 5000
#
# Set transactional checkpoint.
#
checkpoint 512 720
database <dbtype>The database type that this backend uses. Since we are using Berkeley Database we define this to be bdb .
suffix <dn suffix>
The distinguished name suffix for this database. All queries using this suffix will be directed to this database. For example, if we define suffix "dc=somedomain,dc=com" for this database then an LDAP query against "uid=user,ou=People,dc=somedomain,dc=com" will be directed to this backend.
rootdn <dn>
The distinguished name that has complete access to the database. This dn does not need to be associated with an entry in the database (though it can be). This value is useful for intially populating a database, but afterwords it would be wise to remove the rootdn and rootpw configuration options so that administrative access is not so easily exposed.
rootpw <password>
The password for the root distinguished name. I use a crypt generated password because that is the default password type for my system. I'm not sure that that is absolutely necessary, but regardless of the password type used by the rootdn, if this configuration option is used then you must make the slapd.conf file readable only by root.
directory <path>
Directory where the Berkeley Database files will be placed. This option only effects where the indexes and data tables lie. Transaction logs and temporary space are controlled by the DB_CONFIG configuration file. This directory is also where the DB_CONFIG file should be placed.
cachesize <num entries>
Specify the number of entries which should be held in memory. This value is separate from the set_cachesize option in DB_CONFIG and is used by the slapd process for it's own internal cache.
checkpoint <kbyte> <min>
Specify how often the berkeley database transaction log is checkpointed. A checkpoint will occur when either <kbytes> of data have been written to the transaction logs, or <min> minutes have passed since the last checkpoint, which ever comes first.
It should be noted that the longer the interval between checkpoints, the more likely it is that changes to your databases will be unrecoverable in the event of system failure. However, if you don't make changes to your databases that often, then this parameter might reduce your disk activity.
DB_CONFIG File
The underlying Berkeley Database has its own configuration file, DB_CONFIG. This file contains tuning configuration such as in memory cache, logging parameters, transaction controls, and locking controls. If you're going to have a well run bdb backend, you must create this file. See http://www.sleepycat.com/docs/ref/env/db_config.html for details.
Why isn't all of this essential Sleepycat's BerkeleyDB documentation integrated directly into OpenLDAP's documentation?