Re: Modify cn=config

[Dan White <dwhite@olp.net>]

On 11/27/12 10:55 -0500, Rob "Bubba" Hines wrote:
> It's been a while since I touched LDAP, so I'm new to the latest 
> configuration changes. Admittedly, I find it aggravating that I can't 
> simply shutdown the LDAP server and modify the configuration, and 
> start it back up.
>
> Regardless, my intern stuck the wrong paths in for the TLSCerts, ldap 
> will not start up now ... I need to modify cn=config with the correct 
> paths, but I can't figure out how to get slap* to do it. It hates my 
> ldif, and I just want a simple way to change those three paths. I 
> assume that somewhere in the arcane knowledge that is LDAP, there is 
> a simple solution. But my Google FU has failed me, tho it has served 
> up numerous threads that talk around the problem without providing a 
> solution (or the solution provided was simply 'use slapadd' with no 
> direction on how to 'use slapadd').
>
> Here is the latest ldif I've attempted to use (to no avail) with slapadd:
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcTLSCACertificateFile: /etc/ldap/tls/cacert.pem
> olcTLSCertificateFile: /etc/ldap/tls/slapd.d/slapd_cert.pem
> olcTLSCertificateKeyFile: /etc/ldap/tls/slapd.d/slapd_key.pem
>
> I assume I just don't know how to write a correct LDIF. But I would 
> appreciate any help in modifying cn=config with the server down.

The following uses the slapcat/slapadd method to modify your config (in the
case where slapd is not running).  Adjust your paths and permissions
accordingly:

cd /etc/ldap
cp -a slapd.d/ /var/backups/slapd.d-pre-tls-change
mv slapd.d slapd.d.old
mkdir slapd.d
chown openldap:openldap slapd.d
chmod 755 slapd.d
slapcat -n0 -F /etc/ldap/slapd.d.old/ > /tmp/config-in-portable-format.ldif
<edit the ldif>
slapadd -n0 -F /etc/ldap/slapd.d -l /tmp/config-in-portable-format.ldif

--
Dan White