[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Slapd.d Config File
Ted Johnson wrote:
74
Hi;
After about 150 hours of researching LDAP/OpenLDAP, I have finally
come to the realization, among many others, that I need to build a
slapd.d configuration file
That's supposed to be a directory, not a file.
, not a slapd.conf configuration file.
A slapd.conf is just fine. If you want to use the __new__ cn=config
database, slapd or any other tool can generate it for you starting from
slapd.conf, using simultaneously the -f and the -F switches.
There are differences, but the documentation I've read thus far
unfortunately clouds the issues.
Maybe you didn't use the right documentation?
I have the following questions:
* Does someone out there in OpenLDAP-land have a slapd.d conf file
they could share?
Try "slapd -f your-slapd.conf -F
your-already-existing-empty-configuration-dir"
That would help me more than the rest of these questions.
* Do I want to include LDIF schema files, or SCHEMA schema files, or both?
See above
* Which format do I use below: A or B?
A) include /usr/share/openldap/schema/core.schema
B) olcInclude /usr/share/openldap/schema/core.schema
Or is *this* correct?
C) include: file:///usr/local/etc/openldap/schema/core.ldif
See above
* What is the difference between the attributeTypes/objectClasses in
the *.schema files and the olcAttributeTypes/olcObjectClasses in the
*.ldif files? What was the point in renaming them? To cut down on
confusion? (I dare say it didn't.)
See above
* Do I still need an ldap.conf file?
ldap.conf never had anything to do with slapd, nor it starts now (with a
__big__ exception: client-side features of slapd, like
back-ldap/back-meta and slurpd/syncrepl always used and still use
ldap.conf for SSL-related settings; there is work in this area to
streamline things).
* Are the following still correct?
pidfile /var/run/ldap/slapd.pid
argsfile /var/run/ldap/slapd.args
modulepath /usr/lib/openldap
pam_ldap
pam_ldap has never been a valid slapd.conf directive
sasl-host ldap.2012.vi
TLSRandFile /dev/random
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ssl/openldap/ldap.pem
TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem
TLSCACertificatePath /etc/ssl/openldap/
TLSCACertificateFile /etc/ssl/cacert.pem
TLSCACertificateFile /etc/ssl/openldap/ldap.pem
TLSVerifyClient demand # ([never]|allow|try|demand)
a hash mark ('#') followed by text is interpreted as an argument to the
command that starts the line, not as a comment (as I assume you mean it).
loglevel 256
database bdb
suffix "dc=2012,dc=vi"
rootdn "cn=admin,dc=2012,dc=vi"
directory /var/lib/ldap
index objectClass eq,pres
access: to dn.base="/var/lib/ldap" by root read
No colon (':') after "access" is allowed in the "access" access control
directive
database monitor
The above seems to be a collection of partially incorrect slapd.conf
statements. Provided you fix what's wrong, it should be fine to
generate the cn=config database following indications above. Note that
you don't have to generate the cn=config database unless you intend to
use it, and I suggest you don't until you understand all the
implications and its general usefulness. From your message, it appears
you didn't understand it yet, and you got the false perception that the
traditional way of configuring slapd is no longer valid, which is
absolutely not true.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------