I have no experience with LDAP whatsoever and cannot seem to find a step by step procedure for the initial configuration. I'm using the following as references:
https://access.redhat.com/site/document ... 1-OpenLDAP
http://www.openldap.org/doc/admin24/
Man pages for the tools
From what I have read I understand that I need to setup the initial configuration. The Redhat documentation clearly states that the use of slapd.conf is depreicated and that the configuration files are found in /etc/openldap/slapd.d/ which only contains the ldif files: "The slapd configuration consists of LDIF entries organized in a hierarchical directory structure, and the recommended way to edit these entries is to use the server utilities described in Section 18.1.2.1, “Overview of OpenLDAP Server Utilities”" (the slap* tools).
Unfortunately, this is my roadblock, as I have no idea how to view the contents of ldif files with these tools...much less change any of the settings.
The only thing I've been able to do so far is "chown -R ldap:ldap /var/lib/ldap".
The openldap docs say: "Use your favorite editor to edit the provided slapd.conf", which clearly is not the way I am told to do it by the Redhat docs. All CentOS specific docs stop at CentOS 5...which is completely different from the LDAP setup in CentOS 6+.
Also, I've tried using the (apparently wrong) tool, ldapsearch, (with slapd running) to see what is in ldap (ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)')...but it returns 0 results.
So, the database doesn't exist yet and the configuration is entirely in LDIF files at this point?
I am only further confused by the following:
From what I understand so far, ldif files are plain text versions of the actual databases? The path /var/lib/ldap apparently holds the actual databases while the configuration files I need for slapd are in /etc/openldap/slapd.d/cn=config.ldif...which are all ldif files...which implies there is a database for them already (or not, I have no idea). Also, in the section titled "Changing the Global Configuration", it references the directives as olc*, which are given zero context whatsoever in the entire documetation.
I've searched google but every guide I've found either manually edits the ldif files, has a pre-requisite of disabling SELinux, or both...
TL;DR:
How do I setup the initial configuration for the slapd server using the prescribed method of using the slap* tools?
LDAP initial configuration
LDAP initial configuration
Last edited by Platoxia on 2014/04/16 23:08:26, edited 1 time in total.
Re: LDAP initial configuration
When I did this, I had a slapd.conf file that was read once at the first startup and converted into files in /etc/openldap/slapd.d. So use a slapd.conf and have it contain all the information you want to start with like rootpw etc. Fire up the server, it adds that to the database and now you have something that can used with ldapadd/ldapmodify. You should also know that there are at least two databases: one is cn=config which covers the configuration of the ldap server itself, the other one is the one containing your user information. Both need admin users set up for them with (most likely) different passwords and credentials.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: LDAP initial configuration
Thanks for the quick response TrevorH.
There is a small section in the Redhat docs that hasn't escaped my attention:
" In Red Hat Enterprise Linux 6, the slapd service uses a configuration database located in the /etc/openldap/slapd.d/ directory and only reads the old /etc/openldap/slapd.conf configuration file if this directory does not exist. If you have an existing slapd.conf file from a previous installation, you can either wait for the openldap-servers package to convert it to the new format the next time you update this package, or type the following at a shell prompt as root to convert it immediately:
"
I also see this used frequently on many tutorials I've come accross in my search for how to do this properly. Is it true, though, that there is really no way to edit ldif files with the slap* server utilities as prescribed by the Redhat docs? Is it that the ldif data needs to be added as a database first? I am simply bafffled that Redhat would put this in their docs as the recomended method of editing ldif files if you cannot, in fact, edit ldif files with those tools.
In the realm of "just getting things done", I may simply have to do it the way you (and, apparently, most people) have done it. I would very much like to do it with the slap* tools if possible, since it is the prescribed method by Redhat.
There is a small section in the Redhat docs that hasn't escaped my attention:
" In Red Hat Enterprise Linux 6, the slapd service uses a configuration database located in the /etc/openldap/slapd.d/ directory and only reads the old /etc/openldap/slapd.conf configuration file if this directory does not exist. If you have an existing slapd.conf file from a previous installation, you can either wait for the openldap-servers package to convert it to the new format the next time you update this package, or type the following at a shell prompt as root to convert it immediately:
Code: Select all
~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/I also see this used frequently on many tutorials I've come accross in my search for how to do this properly. Is it true, though, that there is really no way to edit ldif files with the slap* server utilities as prescribed by the Redhat docs? Is it that the ldif data needs to be added as a database first? I am simply bafffled that Redhat would put this in their docs as the recomended method of editing ldif files if you cannot, in fact, edit ldif files with those tools.
In the realm of "just getting things done", I may simply have to do it the way you (and, apparently, most people) have done it. I would very much like to do it with the slap* tools if possible, since it is the prescribed method by Redhat.
Re: LDAP initial configuration
You can edit the ldif files in the /etc/openldap/slapd.d directory using the admin username that's in that set of files. The best way to do it is to get your slapd.conf file ready and have it contain everything you want it to to enable the server to start up and run. Then rm the contents of /etc/openldap/slapd.d and start the server up and have it create the files there with the information from slapd.conf. Now you can start the server and use ldapadd/ldapmodify and it can change either the config database or it can change the user data you have stored there (user data meaning data belonging to you, the user, not "data about users" though that second might be part of the info you have there).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: LDAP initial configuration
Thank you for bringing this to my attention. It can't believe it, but the dunderheads at RH will really do this, I just checked their postinstall script.... you can ... wait for the openldap-servers package to convert it to the new format the next time you update this package ...
So, after a new install of openladap you remove everything under /etc/openldap/slapd.d and put a show stopper in there, like this:
Code: Select all
$ touch /etc/openldap/slapd.d/RH_IST_DOOF Re: LDAP initial configuration
This isn't a Redhat thing, it's the way openldap 2.4+ works. Creating dummy files in /etc/openldap/slapd.d is not the right way to get anywhere except into a mess.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: LDAP initial configuration
While I haven't bookmarked it, I clearly remember having read a statement from the openldap people about two months ago: while the config file is already deprecated it is not going away soon. As of 2.4 it's fully supported or else how can there be automatic conversion? RH just copied that nonsense from fedora 12. With 2.4 you can still decide if you want a simple readable config file or this unmaintainable disgusting mess in slapd.d.
Thanks to the OP again for mentioning what RH is up to with the next update. This is not mandated by openldap but scripted nonsense by Fedora and RH.
Thanks to the OP again for mentioning what RH is up to with the next update. This is not mandated by openldap but scripted nonsense by Fedora and RH.