Openldap configuration files and usage

How to identify the Openldap configuration files? What is the importance and usage of each file/directory? The Openldap configuration files are same in any distribution but the location may vary.

This image illustrate how the configuration files are used by Openldap service. Followed by the brief description about each component.

ldap_configuration_files_connectivity
LDAP configuration file connectivity

1. slapd.conf

It is one of the important configuration file. All the LDAP configurations are defined here in directives and values form.

Since Openldap 2.3 dynamic runtime configuration engine been supported. So, slapd.conf no more required to start the slapd service. Instead the directives defined in slapd.conf converted into LDIF files and stored in configuration data store. The slapd.conf file needed for two purpose

  1. To configure LDAP server from scratch
  2. To restore LDAP server if it got crashed

Example

database             bdb

It says start of new bdb type database instance. All of other configuration related to this database should come underneath.

2. Dynamic configuration data store

This is directory where all the configuration LDIF files stored. This directory must present before start of service. The slapd.conf will be used to generate LDIF files. We can generate LDIF files using slaptest or slapcat command by supplying slapd.conf file as input. The path of data store directory can be queried using this command.

#ldapsearch -xw $PASS -D $ROOTDN -b cn=config -LLL|more
dn: cn=config
objectClass: olcGlobal
olcConfigFile: slapd.conf
olcConfigDir: slapd.d/

The config file and data store location (slapd.d/) from the Openldap base directory. I am using Redhat distribution. Openldap base directory is /etc/openldap on Redhat. This can only be changed during code compile. Other distribution may use /usr/local/etc/openldap as base directory.

3. Configuration LDIF files

These are plain text files in LDIF (LDAP data interchange format) form. Openldap stores the whole directory configuration information here. This LDIF files contains configuration directive and it values which are created based on given slapd.conf file. The values can be changed/added using ldapadd, ldapdelete or ldapmodify.

Example

Below is the configuration to enforce slapd service to start with module ppolicy loaded.

dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: {0}ppolicy.la

4. Openldap Database files

So far we saw about how the configuration files handled. Now how about our information such as user, host etc.? These are stored in database files. It can only read through Openldap service. The confidential information such user passwords are always stored in encrypted form.  The database files location can be seen using this command.

#ldapsearch -xw $PASS –D $ROOTDN -b olcDatabase={2}bdb,cn=config -LLL |more
dn: olcDatabase={2}bdb,cn=config
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap

From above output /var/lib/ldap is the database files location. Before starting service the directory should exist. Database files inside will be created automatically if they not available.

5. PID file

We got nothing to do with PID file. It is for informational purpose only.

#ldapsearch -xw config1 -D cn=config -b cn=config -LLL olcPidFile |more
dn: cn=config
olcPidFile: /var/run/openldap/slapd.pid

6. Find ROOTDN

Did you forget ROOTDN username? No worries it can be viewed using this command.

ROOTDN of config database

#cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif |grep -i ROOT
olcRootDN: cn=config
olcRootPW: {SSHA}U6We6NSozdJGKT40a5……

ROOTDN of bdb database

#cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif |grep -i root
olcRootDN: cn=Manager,dc=sunt,dc=com
olcRootPW:: e1NTSEF9V2tVWmxCV2R3cDc…………………

The ROOTDN password cannot be viewed. It always stored in encrypted format. If you forgot you have to create new one. This how to document guides you for that.

Does this information useful? Any corrections/comments please write to me.