CINXE.COM

<!DOCTYPE html> <html class="client-nojs" lang="en" dir="ltr"> <head> <meta charset="UTF-8"/> <title>OpenLDAP Server - Gentoo wiki</title> <script>document.documentElement.className="client-js";RLCONF={"wgBreakFrames":!1,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""],"wgDefaultDateFormat":"dmy","wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestId":"b29451fa47043f2467faa240","wgCSPNonce":!1,"wgCanonicalNamespace":"","wgCanonicalSpecialPageName":!1,"wgNamespaceNumber":0,"wgPageName":"OpenLDAP_Server","wgTitle":"OpenLDAP Server","wgCurRevisionId":1339058,"wgRevisionId":1339058,"wgArticleId":355768,"wgIsArticle":!0,"wgIsRedirect":!1,"wgAction":"view","wgUserName":null,"wgUserGroups":["*"],"wgCategories":["Server and Security","Authentication"],"wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgRelevantPageName":"OpenLDAP_Server","wgRelevantArticleId":355768,"wgIsProbablyEditable":!1,"wgRelevantPageIsProbablyEditable":!1,"wgRestrictionEdit":[],"wgRestrictionMove":[],"wgULSCurrentAutonym": "English","wgPageFormsTargetName":null,"wgPageFormsAutocompleteValues":[],"wgPageFormsAutocompleteOnAllChars":!1,"wgPageFormsFieldProperties":[],"wgPageFormsCargoFields":[],"wgPageFormsDependentFields":[],"wgPageFormsCalendarValues":[],"wgPageFormsCalendarParams":[],"wgPageFormsCalendarHTML":null,"wgPageFormsGridValues":[],"wgPageFormsGridParams":[],"wgPageFormsContLangYes":null,"wgPageFormsContLangNo":null,"wgPageFormsContLangMonths":[],"wgPageFormsHeightForMinimizingInstances":800,"wgPageFormsShowOnSelect":[],"wgPageFormsScriptPath":"/extensions/PageForms","edgValues":null,"wgPageFormsEDSettings":null,"wgAmericanDates":!1,"srfFilteredConfig":null,"wgULSPosition":"personal","wgULSisCompactLinksEnabled":!0};RLSTATE={"site.styles":"ready","noscript":"ready","user.styles":"ready","user":"ready","user.options":"loading","ext.pygments":"ready","mediawiki.toc.styles":"ready","ext.smw.style":"ready","ext.smw.tooltip.styles":"ready","ext.uls.pt":"ready","ext.srf.styles":"ready", "mediawiki.skinning.interface":"ready","mediawiki.skinning.content.externallinks":"ready","skins.tyrian.styles":"ready","skins.tyrian.icons":"ready"};RLPAGEMODULES=["ext.gentooPackages","ext.smw.style","ext.smw.tooltips","smw.entityexaminer","site","mediawiki.page.startup","mediawiki.page.ready","mediawiki.toc","ext.uls.compactlinks","ext.uls.interface"];</script> <script>(RLQ=window.RLQ||[]).push(function(){mw.loader.implement("user.options@1hzgi",function($,jQuery,require,module){/*@nomin*/mw.user.tokens.set({"patrolToken":"+\\","watchToken":"+\\","csrfToken":"+\\"}); });});</script> <link rel="stylesheet" href="/load.php?lang=en&modules=ext.pygments%7Cext.smw.style%7Cext.smw.tooltip.styles%7Cext.uls.pt%7Cmediawiki.skinning.content.externallinks%7Cmediawiki.skinning.interface%7Cmediawiki.toc.styles%7Cskins.tyrian.icons%2Cstyles&only=styles&skin=tyrian"/> <link rel="stylesheet" href="/load.php?lang=en&modules=ext.srf.styles&only=styles&skin=tyrian"/> <script async="" src="/load.php?lang=en&modules=startup&only=scripts&raw=1&skin=tyrian"></script> <link rel="stylesheet" href="https://assets.gentoo.org/tyrian/bootstrap.min.css"/><link rel="stylesheet" href="https://assets.gentoo.org/tyrian/tyrian.min.css"/><style>#mw-indicator-mw-helplink {display:none;}</style> <meta name="ResourceLoaderDynamicStyles" content=""/> <link rel="stylesheet" href="/load.php?lang=en&modules=site.styles&only=styles&skin=tyrian"/> <meta name="generator" content="MediaWiki 1.35.9"/> <meta name="viewport" content="width=device-width, initial-scale=1.0"/> <meta name="theme-color" content="#54487a"/> <link rel="alternate" type="application/rdf+xml" title="OpenLDAP Server" href="/index.php?title=Special:ExportRDF/OpenLDAP_Server&xmlmime=rdf"/> <link rel="shortcut icon" href="https://www.gentoo.org/favicon.ico"/> <link rel="search" type="application/opensearchdescription+xml" href="/opensearch_desc.php" title="Gentoo Wiki (en)"/> <link rel="EditURI" type="application/rsd+xml" href="https://wiki.gentoo.org/api.php?action=rsd"/> <link rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"/>  </head> <body class="mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject page-OpenLDAP_Server rootpage-OpenLDAP_Server skin-tyrian action-view"> <div class="mw-jump sr-only"> Jump to: <a href="#top">content</a> </div> <header> <div class="site-title"> <div class="container"> <div class="row"> <div class="site-title-buttons"> <div class="btn-group btn-group-sm"> <a href="https://get.gentoo.org/" role="button" class="btn get-gentoo"><span class="fa fa-fw fa-download"></span> <strong>Get Gentoo!</strong></a> <div class="btn-group btn-group-sm"> <a class="btn gentoo-org-sites dropdown-toggle" data-toggle="dropdown" data-target="#" href="#"> <span class="fa fa-fw fa-map-o"></span> <span class="hidden-xs">gentoo.org sites</span> <span class="caret"></span> </a> <ul class="dropdown-menu dropdown-menu-right"> <li><a href="https://www.gentoo.org/" title="Gentoo's main website"><span class="fa fa-home fa-fw"></span> gentoo.org</a></li> <li><a href="https://wiki.gentoo.org/" title="Find and contribute documentation"><span class="fa fa-file-text-o fa-fw"></span> Wiki</a></li> <li><a href="https://bugs.gentoo.org/" title="Discover and report issues with Gentoo"><span class="fa fa-bug fa-fw"></span> Bugs</a></li> <li><a href="https://packages.gentoo.org/" title="Find software to install"><span class="fa fa-hdd-o fa-fw"></span> Packages</a></li> <li><a href="https://forums.gentoo.org/" title="Discuss with the community"><span class="fa fa-comments-o fa-fw"></span> Forums</a></li> <li class="divider"></li> <li><a href="https://planet.gentoo.org/" title="Find out what's going on in the dev community"><span class="fa fa-rss fa-fw"></span> Planet</a></li> <li><a href="https://archives.gentoo.org/" title="Read up on past discussions"><span class="fa fa-archive fa-fw"></span> Archives</a></li> <li><a href="https://devmanual.gentoo.org/" title="Read the development guide"><span class="fa fa-book fa-fw"></span> Devmanual</a></li> <li><a href="https://gitweb.gentoo.org/" title="Browse our source code in Gitweb"><span class="fa fa-code fa-fw"></span> Gitweb</a></li> <li class="divider"></li> <li><a href="https://infra-status.gentoo.org/" title="Get updates on the services provided by the Gentoo infra team"><span class="fa fa-server fa-fw"></span> Infra status</a></li> </ul> </div> </div> </div> <div class="logo"> <a href="/" title="Back to the homepage" class="site-logo"> <img src="https://assets.gentoo.org/tyrian/site-logo.png" alt="Gentoo Linux Logo" srcset="https://assets.gentoo.org/tyrian/site-logo.svg"> </a> <span class="site-label">Wiki</span> </div> </div> </div> </div> <nav class="tyrian-navbar" role="navigation"> <div class="container"> <div class="row"> <div class="navbar-header"> <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-main-collapse"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> </div> <div class="collapse navbar-collapse navbar-main-collapse"> <ul class="nav navbar-nav"> <li id="n-mainpage-description"><a href="/wiki/Main_Page" title="Visit the main page [z]" accesskey="z">Main page</a></li><li id="n-recentchanges"><a href="/wiki/Special:RecentChanges" title="A list of recent changes in the wiki [r]" accesskey="r">Recent changes</a></li><li id="n-help"><a href="/wiki/Special:MyLanguage/Help:Contents" title="The place to find out">Help</a></li><li id="n-Contribute.21"><a href="/wiki/Gentoo_Wiki:Contributor%27s_guide">Contribute!</a></li> <li class="dropdown"> <a href="/wiki/Gentoo_Wiki:Menu-Documentation" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false">Documentation <span class="caret"></span></a> <ul class="dropdown-menu" role="menu"><li id="n-Gentoo-Handbook"><a href="/wiki/Handbook:Main_Page">Gentoo Handbook</a></li><li id="n-Gentoo-FAQ"><a href="/wiki/FAQ">Gentoo FAQ</a></li><li role="presentation" class="divider"></li><li id="n-Core-system"><a href="/wiki/Category:Core_system">Core system</a></li><li id="n-Hardware"><a href="/wiki/Category:Hardware">Hardware</a></li><li id="n-Software"><a href="/wiki/Category:Software">Software</a></li><li id="n-Desktop"><a href="/wiki/Category:Desktop">Desktop</a></li><li id="n-Server-.26-Security"><a href="/wiki/Category:Server_and_Security">Server & Security</a></li><li id="n-Project-.26-Community"><a href="/wiki/Category:Project_and_Community">Project & Community</a></li><li role="presentation" class="divider"></li><li id="n-Gentoo-Projects"><a href="/wiki/Project:Gentoo">Gentoo Projects</a></li> </ul> </li> </ul> <ul class="nav navbar-nav navbar-right hidden-xs"> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false"><i class="fa fa-cog"></i> Tools <span class="caret"></span></a> <ul class="dropdown-menu" role="menu"> <li id="t-whatlinkshere"><a href="/wiki/Special:WhatLinksHere/OpenLDAP_Server" title="A list of all wiki pages that link here [j]" accesskey="j">What links here</a></li><li id="t-recentchangeslinked"><a href="/wiki/Special:RecentChangesLinked/OpenLDAP_Server" rel="nofollow" title="Recent changes in pages linked from this page [k]" accesskey="k">Related changes</a></li><li id="t-specialpages"><a href="/wiki/Special:SpecialPages" title="A list of all special pages [q]" accesskey="q">Special pages</a></li><li id="t-print"><a href="javascript:print();" rel="alternate" title="Printable version of this page [p]" accesskey="p">Printable version</a></li><li id="t-permalink"><a href="/index.php?title=OpenLDAP_Server&oldid=1339058" title="Permanent link to this revision of the page">Permanent link</a></li><li id="t-info"><a href="/index.php?title=OpenLDAP_Server&action=info" title="More information about this page">Page information</a></li><li id="t-smwbrowselink"><a href="/wiki/Special:Browse/:OpenLDAP-5FServer" rel="search">Browse properties</a></li> </ul> </li> <li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false"> <span class="fa fa-user" aria-label="Personal tools"></span> User <span class="caret"></span> </a> <ul class="dropdown-menu" role="menu"> <li id="pt-uls" class="active"><a href="#" class="uls-trigger">English</a></li><li id="pt-createaccount"><a href="/index.php?title=Special:CreateAccount&returnto=OpenLDAP+Server" title="You are encouraged to create an account and log in; however, it is not mandatory">Create account</a></li><li id="pt-login"><a href="/index.php?title=Special:UserLogin&returnto=OpenLDAP+Server" title="You are encouraged to log in; however, it is not mandatory [o]" accesskey="o">Log in</a></li> </ul> </li> </ul> </div> </div> </div> </nav> <nav class="navbar navbar-grey navbar-stick" id="wiki-actions" role="navigation"> <div class="container"><div class="row"> <div class="navbar-header"> <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#gw-toolbar"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> </div> <div class="collapse navbar-collapse" id="gw-toolbar"> <ul class="nav navbar-nav"> <li id="ca-nstab-main" class="selected active"><a href="/wiki/OpenLDAP_Server" title="View the content page [c]" accesskey="c">Page</a></li><li id="ca-talk"><a href="/wiki/Talk:OpenLDAP_Server" rel="discussion" title="Discussion about the content page [t]" accesskey="t">Discussion</a></li> </ul> <form action="/index.php" id="searchform" class="navbar-form navbar-right" role="search"> <input type='hidden' name="title" value="Special:Search"/> <div class="input-group"> <input type="search" name="search" placeholder="Search" title="Search Gentoo Wiki [f]" accesskey="f" id="searchInput" class="form-control"/> <div class="input-group-btn"><input type="submit" name="go" value="Go" title="Go to a page with this exact name if it exists" id="searchGoButton" class="searchButton btn btn-default"/><input type="submit" name="fulltext" value="Search" title="Search the pages for this text" id="mw-searchButton" class="searchButton btn btn-default"/></div> </div> </form> <ul class="nav navbar-nav navbar-right hidden-xs"> <li id="ca-viewsource"><a href="/index.php?title=OpenLDAP_Server&action=edit" title="This page is protected.
You can view its source [e]" accesskey="e">View source</a></li><li class="dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false">more <span class="caret"></span></a> <ul class="dropdown-menu" role="menu"> <li id="ca-history"><a href="/index.php?title=OpenLDAP_Server&action=history" title="Past revisions of this page [h]" accesskey="h">History</a></li> </ul> </li> </ul> </div> </div></div> </nav> </header> <div class="container"> <div class="row"> <div class="col-md-12"> <div id="content" class="mw-body" role="main"> <a id="top"></a> <h1 id="firstHeading" class="first-header" lang="en"> <span dir="auto">OpenLDAP Server</span> </h1> <div id="bodyContent" class="mw-body-content"> <div id="siteSub">From Gentoo Wiki</div> <div id="contentSub"> </div> <div id="jump-to-nav"></div> <a class="mw-jump-link" href="#mw-head">Jump to:navigation</a> <a class="mw-jump-link" href="#searchInput">Jump to:search</a> <div id="mw-content-text" lang="en" dir="ltr" class="mw-content-ltr"><div class="mw-parser-output"><p><i>OpenLDAP</i> is a free implementation of the X.500 directory service standards. LDAP stands for <i>Lightweight Directory Access Protocol</i>. The <i>lightweight</i> part comes from the fact it does not implement ALL of the standard. X.500 is quite unwieldy, and much of it has been superseded (e.g. the OSI networking stack) or considered impractical (e.g. such as canonical per entry Distinguished Names) or undesirable (e.g. publishing directories of private entities like businesses). </p> <div id="toc" class="toc" role="navigation" aria-labelledby="mw-toc-heading"><input type="checkbox" role="button" id="toctogglecheckbox" class="toctogglecheckbox" style="display:none" /><div class="toctitle" lang="en" dir="ltr"><h2 id="mw-toc-heading">Contents</h2><span class="toctogglespan"><label class="toctogglelabel" for="toctogglecheckbox"></label></span></div> <ul> <li class="toclevel-1 tocsection-1"><a href="#Introduction_to_LDAP"><span class="tocnumber">1</span> <span class="toctext">Introduction to LDAP</span></a></li> <li class="toclevel-1 tocsection-2"><a href="#Installing_OpenLDAP"><span class="tocnumber">2</span> <span class="toctext">Installing OpenLDAP</span></a></li> <li class="toclevel-1 tocsection-3"><a href="#Introduction_to_LDIF_files"><span class="tocnumber">3</span> <span class="toctext">Introduction to LDIF files</span></a> <ul> <li class="toclevel-2 tocsection-4"><a href="#Add_operation"><span class="tocnumber">3.1</span> <span class="toctext">Add operation</span></a></li> <li class="toclevel-2 tocsection-5"><a href="#Delete_operation"><span class="tocnumber">3.2</span> <span class="toctext">Delete operation</span></a></li> <li class="toclevel-2 tocsection-6"><a href="#Modify_operation"><span class="tocnumber">3.3</span> <span class="toctext">Modify operation</span></a> <ul> <li class="toclevel-3 tocsection-7"><a href="#Add_Attribute"><span class="tocnumber">3.3.1</span> <span class="toctext">Add Attribute</span></a></li> <li class="toclevel-3 tocsection-8"><a href="#Delete_Attribute"><span class="tocnumber">3.3.2</span> <span class="toctext">Delete Attribute</span></a></li> <li class="toclevel-3 tocsection-9"><a href="#Replace_Attribute"><span class="tocnumber">3.3.3</span> <span class="toctext">Replace Attribute</span></a></li> <li class="toclevel-3 tocsection-10"><a href="#Modify_multiple_attributes_on_a_single_DN"><span class="tocnumber">3.3.4</span> <span class="toctext">Modify multiple attributes on a single DN</span></a></li> </ul> </li> <li class="toclevel-2 tocsection-11"><a href="#Rename_.28modrdn.29"><span class="tocnumber">3.4</span> <span class="toctext">Rename (modrdn)</span></a></li> <li class="toclevel-2 tocsection-12"><a href="#Move_.28moddn.29"><span class="tocnumber">3.5</span> <span class="toctext">Move (moddn)</span></a></li> </ul> </li> <li class="toclevel-1 tocsection-13"><a href="#LDAP_hierarchy_and_searches"><span class="tocnumber">4</span> <span class="toctext">LDAP hierarchy and searches</span></a></li> <li class="toclevel-1 tocsection-14"><a href="#Configuring_OpenLDAP"><span class="tocnumber">5</span> <span class="toctext">Configuring OpenLDAP</span></a> <ul> <li class="toclevel-2 tocsection-15"><a href="#Quick_Start"><span class="tocnumber">5.1</span> <span class="toctext">Quick Start</span></a></li> <li class="toclevel-2 tocsection-16"><a href="#Starting_the_slapd_daemon"><span class="tocnumber">5.2</span> <span class="toctext">Starting the slapd daemon</span></a> <ul> <li class="toclevel-3 tocsection-17"><a href="#OpenRC"><span class="tocnumber">5.2.1</span> <span class="toctext">OpenRC</span></a></li> <li class="toclevel-3 tocsection-18"><a href="#Systemd"><span class="tocnumber">5.2.2</span> <span class="toctext">Systemd</span></a></li> </ul> </li> <li class="toclevel-2 tocsection-19"><a href="#Schemas"><span class="tocnumber">5.3</span> <span class="toctext">Schemas</span></a> <ul> <li class="toclevel-3 tocsection-20"><a href="#Add_a_schema"><span class="tocnumber">5.3.1</span> <span class="toctext">Add a schema</span></a></li> <li class="toclevel-3 tocsection-21"><a href="#Convert_a_.schema_file_to_LDIF"><span class="tocnumber">5.3.2</span> <span class="toctext">Convert a .schema file to LDIF</span></a></li> </ul> </li> <li class="toclevel-2 tocsection-22"><a href="#Modules"><span class="tocnumber">5.4</span> <span class="toctext">Modules</span></a></li> <li class="toclevel-2 tocsection-23"><a href="#Security"><span class="tocnumber">5.5</span> <span class="toctext">Security</span></a> <ul> <li class="toclevel-3 tocsection-24"><a href="#TLS"><span class="tocnumber">5.5.1</span> <span class="toctext">TLS</span></a></li> <li class="toclevel-3 tocsection-25"><a href="#Kerberos"><span class="tocnumber">5.5.2</span> <span class="toctext">Kerberos</span></a> <ul> <li class="toclevel-4 tocsection-26"><a href="#OpenRC_2"><span class="tocnumber">5.5.2.1</span> <span class="toctext">OpenRC</span></a></li> <li class="toclevel-4 tocsection-27"><a href="#Systemd_2"><span class="tocnumber">5.5.2.2</span> <span class="toctext">Systemd</span></a></li> </ul> </li> <li class="toclevel-3 tocsection-28"><a href="#Enforce_encryption"><span class="tocnumber">5.5.3</span> <span class="toctext">Enforce encryption</span></a></li> <li class="toclevel-3 tocsection-29"><a href="#Access_Control"><span class="tocnumber">5.5.4</span> <span class="toctext">Access Control</span></a></li> <li class="toclevel-3 tocsection-30"><a href="#Limits"><span class="tocnumber">5.5.5</span> <span class="toctext">Limits</span></a></li> <li class="toclevel-3 tocsection-31"><a href="#Remote_RootDN_access"><span class="tocnumber">5.5.6</span> <span class="toctext">Remote RootDN access</span></a></li> </ul> </li> <li class="toclevel-2 tocsection-32"><a href="#Replication"><span class="tocnumber">5.6</span> <span class="toctext">Replication</span></a> <ul> <li class="toclevel-3 tocsection-33"><a href="#Replication_considerations"><span class="tocnumber">5.6.1</span> <span class="toctext">Replication considerations</span></a></li> <li class="toclevel-3 tocsection-34"><a href="#Preparing_the_producer_for_delta-syncrepl_.28Optional.29"><span class="tocnumber">5.6.2</span> <span class="toctext">Preparing the producer for delta-syncrepl (Optional)</span></a></li> <li class="toclevel-3 tocsection-35"><a href="#Mirroring_configuration"><span class="tocnumber">5.6.3</span> <span class="toctext">Mirroring configuration</span></a></li> <li class="toclevel-3 tocsection-36"><a href="#Read-only_replicas_configuration"><span class="tocnumber">5.6.4</span> <span class="toctext">Read-only replicas configuration</span></a></li> </ul> </li> </ul> </li> <li class="toclevel-1 tocsection-37"><a href="#Populating_the_directory"><span class="tocnumber">6</span> <span class="toctext">Populating the directory</span></a> <ul> <li class="toclevel-2 tocsection-38"><a href="#Populating_the_directory_via_creation"><span class="tocnumber">6.1</span> <span class="toctext">Populating the directory via creation</span></a></li> <li class="toclevel-2 tocsection-39"><a href="#Populating_the_directory_via_import"><span class="tocnumber">6.2</span> <span class="toctext">Populating the directory via import</span></a></li> </ul> </li> <li class="toclevel-1 tocsection-40"><a href="#Adminstration"><span class="tocnumber">7</span> <span class="toctext">Adminstration</span></a> <ul> <li class="toclevel-2 tocsection-41"><a href="#Backing_up_the_database"><span class="tocnumber">7.1</span> <span class="toctext">Backing up the database</span></a></li> <li class="toclevel-2 tocsection-42"><a href="#Clearing_all_schemas"><span class="tocnumber">7.2</span> <span class="toctext">Clearing all schemas</span></a></li> <li class="toclevel-2 tocsection-43"><a href="#Open_file_limits"><span class="tocnumber">7.3</span> <span class="toctext">Open file limits</span></a> <ul> <li class="toclevel-3 tocsection-44"><a href="#OpenRC_3"><span class="tocnumber">7.3.1</span> <span class="toctext">OpenRC</span></a></li> <li class="toclevel-3 tocsection-45"><a href="#Systemd_3"><span class="tocnumber">7.3.2</span> <span class="toctext">Systemd</span></a></li> </ul> </li> </ul> </li> <li class="toclevel-1 tocsection-46"><a href="#Troubleshooting"><span class="tocnumber">8</span> <span class="toctext">Troubleshooting</span></a> <ul> <li class="toclevel-2 tocsection-47"><a href="#Turning_up_the_log_level"><span class="tocnumber">8.1</span> <span class="toctext">Turning up the log level</span></a></li> </ul> </li> <li class="toclevel-1 tocsection-48"><a href="#See_also"><span class="tocnumber">9</span> <span class="toctext">See also</span></a></li> </ul> </div> <h2><span class="mw-headline" id="Introduction_to_LDAP">Introduction to LDAP</span></h2> <p>LDAP is a directory service. It's similar to a database but with different aims. LDAP is hierarchical database, optimized for reading and replication. It does not have same <a rel="nofollow" class="external text" href="https://en.wikipedia.org/wiki/ACID">ACID</a> properties of a standard database. </p><p>An LDAP database consists of <i>branches</i> called <b>Distinguished Names</b> or a <b>DN</b>s. Example distinguished names are <i>uid=johnsmith,ou=people,dc=example,dc=com</i> and <i>olcDatabase=config,cn=config</i>. Each DN may have additional <i>branches</i> or more distinguished names. So for the DN <i>ou=people,dc=example,dc=com</i>, it is possible to create a new branch, called <i>uid=johnsmith</i> and thus a new DN. A DN can also have attributes. What these attributes mean is defined in a <b>schema</b>. Schemas define: </p> <ul><li>The <a rel="nofollow" class="external text" href="https://en.wikipedia.org/wiki/Object_identifier">Object Indentifier</a> (OID) of the attribute (every attribute has a unique OID)</li> <li>Matching rules (like case sensitivity)</li> <li>Syntax of the attribute (like its type)</li> <li>Whether the attribute is single-valued or multi-valued</li> <li>One special attribute is the <i>objectClass</i>. Object classes: <ul><li>Can be either STRUCTURAL or AUXILIARY. A DN must have exactly one STRUCTURAL object class, and zero or more AUXILIARY object classes.</li> <li>What object classes it derives from</li> <li>Required attributes for the DN.</li> <li>Optional attributes for the DN.</li></ul></li></ul> <h2><span class="mw-headline" id="Installing_OpenLDAP">Installing OpenLDAP</span></h2> <p>Before installing OpenLDAP, some USE flags need to be set or cleared first. </p><p class="mw-empty-elt"> </p><div class="panel panel-default gp-panel"> <div class="panel-heading gp-panel-heading"> <h3 class="panel-title"> <span class="text-muted">USE flags for</span> <a href="https://packages.gentoo.org/packages/net-nds/openldap">net-nds/openldap</a> <small><span class="fa fa-external-link-square"></span></small> <small class="gp-pkg-desc">LDAP suite of application and development tools</small> </h3> </div> <div class="table-responsive gp-useflag-table-container"> <table class="table gp-useflag-table"> <tbody><tr> <td> <code><a href="https://packages.gentoo.org/useflags/+cleartext">+cleartext</a></code> </td> <td> Enable use of cleartext passwords </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/+syslog">+syslog</a></code> </td> <td> Enable support for syslog </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/argon2">argon2</a></code> </td> <td> Enable password hashing algorithm from app-crypt/argon2 </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/autoca">autoca</a></code> </td> <td> Automatic Certificate Authority overlay </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/crypt">crypt</a></code> </td> <td> Add support for encryption -- using mcrypt or gpg where applicable </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/cxx">cxx</a></code> </td> <td> Build support for C++ (bindings, extra libraries, code generation, ...) </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/debug">debug</a></code> </td> <td> Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/experimental">experimental</a></code> </td> <td> Enable experimental backend options </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/gnutls">gnutls</a></code> </td> <td> Prefer net-libs/gnutls as SSL/TLS provider (ineffective with USE=-ssl) </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/iodbc">iodbc</a></code> </td> <td> Add support for iODBC library </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/ipv6">ipv6</a></code> </td> <td> Add support for IP version 6 </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/kerberos">kerberos</a></code> </td> <td> Add kerberos support </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/kinit">kinit</a></code> </td> <td> Enable support for kerberos init </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/minimal">minimal</a></code> </td> <td> Build libraries & userspace tools only. Does not install any server code </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/odbc">odbc</a></code> </td> <td> Enable ODBC and SQL backend options </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/overlays">overlays</a></code> </td> <td> Enable contributed OpenLDAP overlays </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/pbkdf2">pbkdf2</a></code> </td> <td> Enable support for pbkdf2 passwords </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/perl">perl</a></code> </td> <td> Add optional support/bindings for the Perl language </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/samba">samba</a></code> </td> <td> Add support for SAMBA (Windows File and Printer sharing) </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/sasl">sasl</a></code> </td> <td> Add support for the Simple Authentication and Security Layer </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/selinux">selinux</a></code> </td> <td> !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/sha2">sha2</a></code> </td> <td> Enable support for pw-sha2 password hashes </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/smbkrb5passwd">smbkrb5passwd</a></code> </td> <td> Enable overlay for syncing ldap, unix and lanman passwords </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/ssl">ssl</a></code> </td> <td> Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security) </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/static-libs">static-libs</a></code> </td> <td> Build static versions of dynamic libraries as well </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/systemd">systemd</a></code> </td> <td> Enable use of systemd-specific libraries and features like socket activation or session tracking </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/tcpd">tcpd</a></code> </td> <td> Add support for TCP wrappers </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/test">test</a></code> </td> <td> Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) </td> </tr> <tr> <td> <code><a href="https://packages.gentoo.org/useflags/verify-sig">verify-sig</a></code> </td> <td> Verify upstream signatures on distfiles </td> </tr> </tbody></table> </div> <div class="panel-footer gp-panel-footer"> <small class="pull-right"> Data provided by the <a href="https://packages.gentoo.org">Gentoo Package Database</a> · Last update: 2025-02-18 04:05 </small> <small> <a href="/wiki/Handbook:AMD64/Working/USE">More information about USE flags</a> </small> </div> </div> <p class="mw-empty-elt"></p><p>On most profiles the <span style="font-family: monospace; font-size: 95%; color: MidnightBlue; white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the minimal USE Flag."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/useflags/minimal"><span style="color: MidnightBlue;">minimal</span></a><a href="/wiki/USE_flag" title="USE flag"><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-flag-o fa-fw"></span></a></span> USE flag is set, which disables installation of the server and supporting files. The <span style="font-family: monospace; font-size: 95%; color: MidnightBlue; white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the sasl USE Flag."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/useflags/sasl"><span style="color: MidnightBlue;">sasl</span></a><a href="/wiki/USE_flag" title="USE flag"><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-flag-o fa-fw"></span></a></span> USE flag is recommended for all users, and required for Kerberos users (in addition to the <span style="font-family: monospace; font-size: 95%; color: MidnightBlue; white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the kerberos USE Flag."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/useflags/kerberos"><span style="color: MidnightBlue;">kerberos</span></a><a href="/wiki/USE_flag" title="USE flag"><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-flag-o fa-fw"></span></a></span> flag). </p><p>The <span style="font-family: monospace; font-size: 95%; color: MidnightBlue; white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the debug USE Flag."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/useflags/debug"><span style="color: MidnightBlue;">debug</span></a><a href="/wiki/USE_flag" title="USE flag"><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-flag-o fa-fw"></span></a></span> is virtually required for OpenLDAP servers - the server produces no output (diagnostic or otherwise) at all in the syslog and the <b>olcLogLevel</b> option has little effect (except for stats), which makes it difficult to troubleshoot. This is different than most users of the flag, where it should normally be turned off </p><p>Set the desired flags in <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/portage/package.use/openldap</span>, as an example: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/etc/portage/package.use/openldap</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>net-nds/openldap debug -minimal overlays sasl </pre></div> <p>Once installed, there are 2 sets of utilities: the <i>ldap</i> ones and the <i>slap</i> ones. The <i>ldap</i> ones run against a running LDAP server, whereas the <i>slap</i> ones operate offline on the server database directly. </p> <h2><span class="mw-headline" id="Introduction_to_LDIF_files">Introduction to LDIF files</span></h2> <p>OpenLDAP uses directory entries itself for configuration, so it necessary to use LDIF for bootstrapping. The initial configuration is created as an LDIF file and loaded on the server with <b>slapadd</b>. Once the server is running, the <b>ldapadd</b> and <b>ldapmodify</b> can be used to make further changes. If the server is unable to start, <b>slapmodify</b> can be used to load LDIF files to fix it. </p><p>An LDIF file is a plain text file with a particular format. Distinguished names have 5 operations defined on them: <i>add</i>, <i>delete</i>, <i>modify</i>, rename (<i>modrdn</i>), and move (<i>moddn</i>). </p><p>A LDIF file looks like this: </p> <div class="gw-box"><div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #204A87">CODE</span> <strong>Sample LDIF file</strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: uid=ebunny,ou=people,dc=example,dc=com changetype: add objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount sn:: QnU6bm55Cg== cn: ebunny cn: Easter Bunny # This is a comment uid: ebunny uidNumber: 20000 gidNumber: 20000 homeDirectory: /home/ebunny loginShell: /bin/bash gecos: This is a store ab out a man named Bunny jpegPhoto:< file:///root/ebunny.jpg dn: uid=ebunny,ou=people,dc=example,dc=com changetype: modify replace: sn sn: bunny - delete: jpegPhoto dn: uid=sclaus,ou=people,dc=example,dc=com changetype: delete </pre></div></div> <p>Note the following things: </p> <ul><li>Multiple operations can be done in an LDIF file.</li> <li>All LDIF entries start with "dn: " followed by the DN of the entry to operate on.</li> <li>The next line the modification operation requested on the DN.</li> <li>For the <i>modify</i> operation, either <i>add</i>, <i>replace</i>, or <i>delete</i> must be specified.</li> <li>Multiple attributes may be updated in a single <i>modify</i> operation.</li> <li>Multi-valued attributes may be specified multiple times.</li> <li>Binary attributes can be added by suffixing a another colon to end of <i>attribute</i>:.</li> <li>Files may be used as attribute values by suffixing a < to end of <i>attribute</i>:.</li> <li>LDIF lines may continued onto the next line by stating them with a single space.</li> <li>Comments are started by a # in column 1.</li></ul> <h3><span class="mw-headline" id="Add_operation">Add operation</span></h3> <p>To add a DN, start the entry with "dn: " followed by the DN to add. The next line must be "changetype: add". On each additional line, specify the attributes to add along with their values in the format <i>attribute</i>: <i>value</i>. The <i>add</i> operation will fail if the DN already exists. </p> <div class="gw-box"><div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #204A87">CODE</span> <strong>Add a DN</strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: uid=ebunny,ou=people,dc=example,dc=com changetype: add objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount sn: bunny cn: ebunny cn: Easter Bunny uid: ebunny uidNumber: 20000 gidNumber: 20000 homeDirectory: /home/ebunny loginShell: /bin/bash gecos: Easter Bunny </pre></div></div> <p>Process the file with <b>ldapmodify</b>/<b>slapmodify</b>: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:/// -Y EXTERNAL -f filename.ldif</code></div></div> <p>If the file contains only <i>add</i> operations, the <b>ldapadd</b>/<b>slapddd</b> utilities may be used instead. In that case, the <i>changetype: add</i> lines are optional. </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapadd -H ldapi:/// -Y EXTERNAL -f filename.ldif</code></div></div> <h3><span class="mw-headline" id="Delete_operation">Delete operation</span></h3> <p>To delete a DN, start the entry with "dn: " followed by the DN to delete. The next line must be "changetype: delete". The <i>delete</i> operation will fail if the DN does not exist. </p> <div class="gw-box"><div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #204A87">CODE</span> <strong>Delete a DN</strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: uid=ebunny,ou=people,dc=example,dc=com changetype: delete </pre></div></div> <p>Only "leaf" DNs can be deleted. Process the file with <b>ldapmodify</b>/<b>slapmodify</b>. </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:// -Y EXTERNAL -f filename.ldif</code></div></div> <p>The DN can alsp be deleted directly using the <b>ldapdelete</b> command </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapdelete -H ldapi:// -Y EXTERNAL uid=ebunny,ou=people,dc=example,dc=com</code></div></div> <h3><span class="mw-headline" id="Modify_operation">Modify operation</span></h3> <p>To modify a DN, start the entry with "dn: " followed by the DN to modify. The next line must be "changetype: modify". There are 3 sub-operations for <i>modify</i>, each with its own syntax. </p><p>Process the file with <b>ldapmodify</b>/<b>slapmodify</b>: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:// -Y EXTERNAL -f filename.ldif</code></div></div> <h4><span class="mw-headline" id="Add_Attribute">Add Attribute</span></h4> <p>To add an attribute to a DN, the next line should be "add: " follow by the attribute name to add. The next line is in the format <i>attribute</i>: <i>value</i>. Multi-valued attributes may be specific multiple times, one of each value. If the attribute doesn't exist, it's created. If it already exists and it's multi-valued, an additional value is added. If it already exists and it's not multi-valued, the operation fails. </p> <div class="gw-box"><div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #204A87">CODE</span> <strong>Add an attribute</strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: olcDatabase={2}mdb,cn=config changetype: add add: olcLimits olcLimits: dn.exact="cn=replicator,dc=example,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited </pre></div></div> <h4><span class="mw-headline" id="Delete_Attribute">Delete Attribute</span></h4> <p>To delete an attribute from a DN, the next line should be "delete: " follow by the attribute name to delete. If the attribute is multi-valued, ALL values are deleted. The operation fails if the attribute does not exist. </p> <div class="gw-box"><div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #204A87">CODE</span> <strong>Delete an attribute</strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: olcDatabase={2}mdb,cn=config changetype: modify delete: olcRootPW </pre></div></div> <h4><span class="mw-headline" id="Replace_Attribute">Replace Attribute</span></h4> <p>To replace an attribute for a DN, the next line should be "replace: " follow by the attribute name to replace. The next line is in the format <i>attribute</i>: <i>value</i>. The <i>attribute</i>: <i>value</i> may be specified multiple times but the <i>attribute</i> must be the same. If the attribute is multi-valued, ALL values are replaced. If the attribute does not exist, it is created. If multiple values are added to a non-multi-valued attribute, the operation fails. </p> <div class="gw-box"><div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #204A87">CODE</span> <strong>Replace an attribute</strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcAccess olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" manage by dn.exact="cn=replicator,dc=example,dc=com" read by * break olcAccess: to attrs=userPassword by self write by anonymous auth by * none olcAccess: to * by * read </pre></div></div> <div class="alert alert-info gw-box" style="padding-top: 8px; padding-bottom: 8px;"><strong><i class="fa fa-sticky-note-o fa-rotate-180"></i> Note</strong><br />The <i>replace</i> operation is NOT atomic. If an attribute needs to be atomically replaced, do a <i>delete</i> then an <i>add</i> in the same <i>modify</i> statement instead using the section below</div> <h4><span class="mw-headline" id="Modify_multiple_attributes_on_a_single_DN">Modify multiple attributes on a single DN</span></h4> <p>A <i>modifiy</i> operation may change several attributes in a single statement. Separate each attribute change on the DN with a dash (-) on its own line: </p> <div class="gw-box"><div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #204A87">CODE</span> <strong>Add an attribute</strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcAccess olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" manage by dn.exact="cn=replicator,dc=example,dc=com" read olcAccess: to attrs=userPassword by self write by anonymous auth by * none olcAccess: to * by * read - changetype: add add: olcLimits olcLimits: dn.exact="cn=replicator,dc=example,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited - delete: olcRootPW </pre></div></div> <p>Note this a little different that 3 different <i>modify</i> operations: They must all succeed, or none do. </p> <h3><span id="Rename_(modrdn)"></span><span class="mw-headline" id="Rename_.28modrdn.29">Rename (modrdn)</span></h3> <p>To rename a DN, start the entry with "dn: " followed by the DN to rename. The next line must be "changetype: modrdn" (stands for Modify Relative DN). On the line after, specify "newrdn: " and the new name. On the next line, specify "deleteoldrdn: " and either 0 or 1, 0 keeps the old entry as an alias; 1 does not. </p> <div class="gw-box"><div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #204A87">CODE</span> <strong>Rename a DN</strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: ou=people,dc=example,dc=com changetype: modrdn newrdn: ou=aliens deleteoldrdn: 1 </pre></div></div> <p>Process the file with <b>ldapmodify</b> (None of the backends current implement the <i>modrdn</i> operation for <b>slapmodify</b>) </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:/// -Y EXTERNAL -f filename.ldif</code></div></div> <p>The DN can also be renamed directly using the <b>ldapmodrn</b> utlity: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodrdn -H ldapi:/// -Y EXTERNAL ou=people,dc=example,dc=com ou=aliens</code></div></div> <h3><span id="Move_(moddn)"></span><span class="mw-headline" id="Move_.28moddn.29">Move (moddn)</span></h3> <p>To move a DN, start the entry with "dn: " followed by the DN to rename. The next line must be "changetype: moddn" (stands for Modify DN). On the line after, specify "newsuperior: " and the new DN to place this DN under, pruning one part of the tree and grafting onto another . On the next line, specify "deleteoldrdn: " and either 0 or 1, 0 keeps the old entry as an alias; 1 does not. </p> <div class="gw-box"><div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #204A87">CODE</span> <strong>Move a a DN</strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: uid=ebunny,ou=people,dc=example,dc=com changetype: moddn newsuperior: ou=animals,dc=example,dc=com deleteoldrdn: 1 </pre></div></div> <p>Process the file with <b>ldapmodify</b>/<b>slapmodify</b>: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:// -Y EXTERNAL -f filename.ldif</code></div></div> <h2><span class="mw-headline" id="LDAP_hierarchy_and_searches">LDAP hierarchy and searches</span></h2> <p>LDAP directories are hierarchical. The OU (organizational unit) typically used to divide up the directory, and an OU can have other OUs under it. Each OU can have its own attribute/value pairs. An OU typically represents a "resource type" or "administrative division". For the "resource" case, "People" (ou=People,dc=example,dc=com) represents one resource of a organization, "Hosts" (ou=Hosts,dc=example,dc=com) is another resource. For the "administrative division" case, the People OU could be further divided in OUs geographically (like ou=EMEA,ou=People,dc=example,dc=com) or divisions of the company (ou=Accounting,ou=People,dc=example,dc=com). OUs may be nested and are limited only by the length of the DN (255 characters). </p><p>LDAP searches are done with filters. The filter language is quite extensive: there are <a rel="nofollow" class="external text" href="//ldap.com/ldap-filters/">tutorials of the LDAP filter language</a> or consult <a rel="nofollow" class="external text" href="//docs.ldap.com/specs/rfc4515.txt">RFC4515</a>. Normally admins do not need to write complicated filters, however, filters used by the apps will be shown in the logs and are useful for debugging. </p><p>Note that while LDAP is hierarchical, the data may not be used that way. For example, <span style="white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the sys-auth/sssd package."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/packages/sys-auth/sssd"><span style="font-family: monospace; font-size: 95%; color: MidnightBlue;">sys-auth/sssd</span></a><span style="color: grey; margin-left: 0.1em; font-size: 70%;" class="fa fa-hdd-o fa-fw"></span></span> searches the entire directory for a user. If there are multiple OUs that user, the search will return the union of them all, no matter where in directory they are. On the other hand, when sudo checks LDAP, it restricts is search to its OU. </p> <div class="alert alert-danger gw-box" style="padding-top: 8px; padding-bottom: 8px;"><strong><i class="fa fa-exclamation-triangle"></i> Warning</strong><br />An OU cannot be relied on to be a "container". Depending on the search base used the by application - which may be the entire directory - it can return data from multiple OUs. In particular, you cannot have a DN or attribute value that the client expects to be unique (like username or UID) in different OUs under the same search base, even though it's valid and the LDAP server allows it.</div> <p>LDAP searches are unordered: The server may return the results in whatever order it pleases and need to not be consistent between searches. Sorting must be done by client. </p> <h2><span class="mw-headline" id="Configuring_OpenLDAP">Configuring OpenLDAP</span></h2> <p>Once OpenLDAP is installed with the correct USE flags, The server must be configured. </p> <h3><span class="mw-headline" id="Quick_Start">Quick Start</span></h3> <p>Neither the configuration or LDIF files that are bundled in OpenLDAP, or the OpenLDAP Quick Start is suitable for a Gentoo installation Instead, using the following file. Call it <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">slapd.ldif.in</span> </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">slapd.ldif.in</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span># Config DN dn: cn=config objectClass: olcGlobal cn: config # Gentoo locations of files olcArgsFile: /run/openldap/slapd.args olcPidFile: /run/openldap/slapd.pid # Basic logging olcLogLevel: 768 # Schema DN dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema # Include core schema include: file:///etc/openldap/schema/core.ldif # Database frontend DN. Any option listed here affects ALL LDAP databases dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig olcDatabase: frontend # Config database DN dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" manage by * none # Monitoring database DN dn: olcDatabase=monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: monitor olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" read by dn.base="cn=Manager,${MY_DOMAIN_DC}" read by * none # Database DN for organization directory info dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb # Default database size. If needed, uncomment and increase. #olcDbMaxSize: 1073741824 olcSuffix: ${MY_DOMAIN_DC} olcDbDirectory: /var/lib/openldap-data olcRootDN: cn=Manager,${MY_DOMAIN_DC} olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" manage by * break olcAccess: to attrs=userPassword by self write by anonymous auth by * none olcAccess: to * by * read olcLimits: dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited </pre></div> <p>Run the following command, replacing <b>dc=example,dc=com</b> with your director component information. </p> <div class="cmd-box"><div><code style="color: #4E9A06; user-select: none; font-weight: bold;">user <span style="color:royalblue;">$</span></code><code>sed s/\${MY_DOMAIN_DC}/dc=example,dc=com/g < slapd.ldif.in > slapd.ldif</code></div></div> <p>Create, populate and set the permissions of the <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/openldap/slapd.d</span> directory </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>( umask 077 && mkdir /etc/openldap/slapd.d ) </code></div><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>slapadd -n 0 -l slapd.ldif -F /etc/openldap/slapd.d </code></div><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>chown -R ldap:ldap /etc/openldap/slapd.d</code></div></div> <h3><span class="mw-headline" id="Starting_the_slapd_daemon">Starting the slapd daemon</span></h3> <h4><span class="mw-headline" id="OpenRC">OpenRC</span></h4> <p>Edit <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/conf.d/slapd</span> as follows </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/etc/conf.d/slapd</code></strong><strong>(Excerpt)</strong></div> <div class="mw-highlight mw-highlight-lang-bash mw-content-ltr" dir="ltr"><pre><span></span><span class="c1"># Comment this line to disable the old slapd.conf file</span> <span class="c1">#OPTS_CONF="-f /etc/${INSTANCE}/slapd.conf"</span> <span class="c1"># Uncomment this to use the new slapd.d configuration directory</span> <span class="nv">OPTS_CONF</span><span class="o">=</span><span class="s2">"-F /etc/</span><span class="si">${</span><span class="nv">INSTANCE</span><span class="si">}</span><span class="s2">/slapd.d"</span> </pre></div> <p>Note that OpenRC places the <i>ldapi</i> socket file in a nonstandard place. So change any instances of <b>ldapi:///</b> to <b>ldapi://%2frun%2fopenldap%2fslapd.sock</b> in the subsequent instructions. </p><p>Then enable and start the daemon: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>rc-config add slapd default </code></div><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>rc-service slapd start</code></div></div> <h4><span class="mw-headline" id="Systemd">Systemd</span></h4> <p>Edit <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/systemd/system/slapd.service.d/00gentoo.conf</span> as follows: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/etc/systemd/system/slapd.service.d/00gentoo.conf</code></strong><strong>(Excerpt)</strong></div> <div class="mw-highlight mw-highlight-lang-bash mw-content-ltr" dir="ltr"><pre><span></span><span class="c1"># Use the classical configuration file:</span> <span class="c1">#Environment="SLAPD_OPTIONS=-f /etc/openldap/slapd.conf"</span> <span class="c1"># Use the slapd configuration directory:</span> <span class="nv">Environment</span><span class="o">=</span><span class="s2">"SLAPD_OPTIONS=-F /etc/openldap/slapd.d"</span> </pre></div> <p>Then enable start the daemon: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>systemctl enable --now slapd</code></div></div> <h3><span class="mw-headline" id="Schemas">Schemas</span></h3> <p>One schema is required: the core schema. Without it, no entries can be added to the directory. Additional schema are usually required. Some schema have dependencies on other schemas. In that case, all the schemas to be added must be included in the same LDIF file. </p> <h4><span class="mw-headline" id="Add_a_schema">Add a schema</span></h4> <p>To add a schema, create an LDIF file with an "include: " statement for each schema to be added, along with its dependencies. </p><p>For example. the <b>nis</b> schema depends on the <b>cosine</b> schema. So both need to included, starting with the dependencies </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">addschema.ldif</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>include: file:///etc/openldap/schema/cosine.ldif include: file:///etc/openldap/schema/nis.ldif </pre></div> <p>Then add it to the server </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapadd -H ldapi:/// -Y EXTERNAL -f addschema.ldif</code></div></div> <div class="alert alert-danger gw-box" style="padding-top: 8px; padding-bottom: 8px;"><strong><i class="fa fa-exclamation-triangle"></i> Warning</strong><br />Schemas cannot be removed while the server is online. Removing schemas usually results in disastrous consequences, so its not something to take lightly!</div> <h4><span class="mw-headline" id="Convert_a_.schema_file_to_LDIF">Convert a .schema file to LDIF</span></h4> <p>OpenLDAP has supported .ldif file for schemas since version 2.3 (release year 2005). Some programs and packages, however, still do not ship LDIF files and ship .schema files instead. OpenLDAP has a utility to convert them. </p><p>A good example is <span style="white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the app-admin/sudo package."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/packages/app-admin/sudo"><span style="font-family: monospace; font-size: 95%; color: MidnightBlue;">app-admin/sudo</span></a><span style="color: grey; margin-left: 0.1em; font-size: 70%;" class="fa fa-hdd-o fa-fw"></span></span>. It ships a schema file, not an LDIF file, so it must be converted. To covert: </p><p>Create a old-style configuration file that includes the schema. If the schema has dependencies, those must be included before the desired schema in the configuration file. </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">sudo-schema.conf</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>include /etc/openldap/schema/sudo.schema </pre></div> <p>Create an empty directory: </p> <div class="cmd-box"><div><code style="color: #4E9A06; user-select: none; font-weight: bold;">user <span style="color:royalblue;">$</span></code><code>mkdir myconfig</code></div></div> <p>Run the <b>slaptest</b> command with the proper arguments: </p> <div class="cmd-box"><div><code style="color: #4E9A06; user-select: none; font-weight: bold;">user <span style="color:royalblue;">$</span></code><code>slaptest -f sudo-schema.conf -F myconfig</code></div></div> <p>Look for the LDIF file in the <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">myconfig/cn=config/cn=schema</span> directory. For sudo, this file is called <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">{0}sudo.ldif</span>. Clean up the file and rename it: </p> <div class="cmd-box"><div><code style="color: #4E9A06; user-select: none; font-weight: bold;">user <span style="color:royalblue;">$</span></code><code>sed -e '/^#/d' -e '/^dn: /s/$/,cn=schema,cn=config/g' -e 's/{[[:digit:]]*}//g' -e '/^structuralObjectClass/d' -e '/^entryUUID/d' -e '/^creatorsName/d' -e '/^createTimestamp/d' -e '/^entryCSN/d' -e '/^modifiersName/d' -e '/^modifyTimestamp/d' < myconfig/cn\=config/cn\=schema/cn\=\{0\}sudo.ldif > sudo.ldif</code></div></div> <p>The LDIF file may now be added like any other schema. </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapadd -H ldapi:/// -Y EXTERNAL -f sudo.ldif</code></div></div> <p>The temporary files can now be cleaned up: </p> <div class="cmd-box"><div><code style="color: #4E9A06; user-select: none; font-weight: bold;">user <span style="color:royalblue;">$</span></code><code>rm -fr myconfig</code></div></div> <h3><span class="mw-headline" id="Modules">Modules</span></h3> <p>Modules extend the functionality of OpenLDAP. There are modules for different backend type (like mdb), encryption algorithms (like argon2) and overlays (like accesslog). Some modules are compiled in, like the <i>back_mdb</i> and <i>syncrepl</i> modules, and (if <span style="font-family: monospace; font-size: 95%; color: MidnightBlue; white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the argon2 USE Flag."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/useflags/argon2"><span style="color: MidnightBlue;">argon2</span></a><a href="/wiki/USE_flag" title="USE flag"><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-flag-o fa-fw"></span></a></span> is specified), argon2. </p><p>For example, to add the password policy module (assuming <span style="font-family: monospace; font-size: 95%; color: MidnightBlue; white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the overlays USE Flag."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/useflags/overlays"><span style="color: MidnightBlue;">overlays</span></a><a href="/wiki/USE_flag" title="USE flag"><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-flag-o fa-fw"></span></a></span> has been set, create the following LDIF file: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">add-module.ldif</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: cn=module,cn=config changetype: add objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap/openldap olcModuleLoad: ppolicy.so </pre></div> <p>Add the entries to the server: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:/// -Y EXTERNAL -f add-module.ldif</code></div></div> <div class="alert alert-danger gw-box" style="padding-top: 8px; padding-bottom: 8px;"><strong><i class="fa fa-exclamation-triangle"></i> Warning</strong><br />Modules cannot be removed while the server is online. Removing modules usually results in disastrous consequences, so its not something to take lightly!</div> <h3><span class="mw-headline" id="Security">Security</span></h3> <p>OpenLDAP supports two popular security solutions: TLS (SSL) and Kerberbos (GSSAPI). Both may be used, if desired. </p> <h4><span class="mw-headline" id="TLS">TLS</span></h4> <p>A certificate is required to setup TLS. Typically a certificate is obtained either through an in house enterprise certificate authority, or from an external authority, like <a href="/wiki/Let%27s_Encrypt" title="Let's Encrypt">Let's Encrypt</a>. Since LDAP servers are not usually exposed to the Internet, the former option is preferred. </p><p>The TLS server needs the CA certificate, the server certificate, and the key. The certificates and key should be placed <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/openldap/ssl</span> with the proper permissions (444 for the certificates, 400 for the key). Change ownership of the files to the <i>ldap</i> user and group. The key should not have a password on it. </p><p>Create an LDIF file to add the location of the CA certificate, server certificate, and the key. The exmaple below expects the CA certificate at <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/openldap/ssl/ca.crt</span>, the server certificate at <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/openldap/ssl/ldap.crt</span>, and they key at <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/openldap/ssl/ldap.key</span> </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">ldap-tls.ldif</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/ssl/ca.crt - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/ssl/ldap.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/ssl/ldap.key </pre></div> <p>Add the entries to the server: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:/// -Y EXTERNAL -f ldap-tls.ldif</code></div></div> <p>The LDAP clients must be configured with the certificate of the CA the server's cert in signed with. For each client, copy the CA cert to <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/openldap/ca.crt</span> and set the permissions to 444. Edit <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/openldap/ldap.conf</span> and add the following line: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/etc/openldap/ldap.conf</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>TLS_CACERT /etc/openldap/ca.crt </pre></div> <h4><span class="mw-headline" id="Kerberos">Kerberos</span></h4> <p>If OpenLDAP is compiled with <span style="font-family: monospace; font-size: 95%; color: MidnightBlue; white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the Kerberos USE Flag."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/useflags/Kerberos"><span style="color: MidnightBlue;">Kerberos</span></a><a href="/wiki/USE_flag" title="USE flag"><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-flag-o fa-fw"></span></a></span> (and <span style="font-family: monospace; font-size: 95%; color: MidnightBlue; white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the sasl USE Flag."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/useflags/sasl"><span style="color: MidnightBlue;">sasl</span></a><a href="/wiki/USE_flag" title="USE flag"><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-flag-o fa-fw"></span></a></span>) support, no configuration in OpenLDAP is needed for Kerberos. However, the server has to know where to find its keytab. It cannot use the system keytab because it has the wrong permissions. A special keytab must be created for OpenLDAP. An environmental variable, KRB5_KTNAME must be set in the server's context to find it. Extract the <b>ldap</b> principal for this server (ldap/FQDN@DOMAIN) and save in a keytab to a file called <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/openldap/krb5-ldap.keytab</span>. Set file ownership to the ldap user and group, and set permissions to 400. </p> <h5><span class="mw-headline" id="OpenRC_2">OpenRC</span></h5> <p>Uncomment the KRB5_KTNAME line </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/etc/conf.d/slapd</code></strong><strong>(Excerpt)</strong></div> <div class="mw-highlight mw-highlight-lang-bash mw-content-ltr" dir="ltr"><pre><span></span><span class="c1"># Specify the kerberos keytab file</span> <span class="nv">KRB5_KTNAME</span><span class="o">=</span>/etc/openldap/krb5-ldap.keytab </pre></div> <h5><span class="mw-headline" id="Systemd_2">Systemd</span></h5> <p>Edit <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/systemd/system/slapd.service.d/00gentoo.conf</span> and uncomment the KRB5_KTNAME line. </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/etc/systemd/system/slapd.service.d/00gentoo.conf</code></strong><strong>(Excerpt)</strong></div> <div class="mw-highlight mw-highlight-lang-bash mw-content-ltr" dir="ltr"><pre><span></span><span class="c1"># Specify the kerberos keytab file</span> <span class="nv">Environment</span><span class="o">=</span><span class="nv">KRB5_KTNAME</span><span class="o">=</span>/etc/openldap/krb5-ldap.keytab </pre></div> <h4><span class="mw-headline" id="Enforce_encryption">Enforce encryption</span></h4> <p>TLS and Kerberos allow the server to encrypt communications via the client though STARTTLS, but it do not mandate it. The LDAP server can be configure to force use of encryption: </p><p>Create this LDIF: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">enforce-encryption.ldif</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: cn=config changetype: modify add: olcLocalSSF olcLocalSSF: 128 dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcSecurity olcSecurity: update_ssf=128 simple_bind=1 </pre></div> <p>The first rule for <b>olcLocalSSF</b> protects against locking out local access. The value must be at least are large as the largest value in olcSecurity. The example above requires encryption to update any entries, but only integrity protection to bind. This is only relevant for Kerberos: if the SSF is not 0, all TLS implementation will always encrypt (and most Kerberos ones will too). </p><p>Add the entries to the server: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:/// -Y EXTERNAL -f enforce-encryption.ldif</code></div></div> <div class="alert alert-danger gw-box" style="padding-top: 8px; padding-bottom: 8px;"><strong><i class="fa fa-exclamation-triangle"></i> Warning</strong><br />Do not specify <b>tls=1</b> in olcSecurity, otherwise, local users and non-TLS Kerberos users will be locked out</div> <p>For increased flexibility, access control rules can be used in addition to, or instead of, mandating security via <b>olcSecurity</b>. </p> <h4><span class="mw-headline" id="Access_Control">Access Control</span></h4> <p>Each database has it own access control. The default for the directory databases (like mdb) is to grant read to all, otherwise, the default is no access to anyone. See <a rel="nofollow" class="external text" href="//www.openldap.org/doc/admin26/access-control.html#Access%20Control%20via%20Dynamic%20Configuration">Access Control via Dynamic Configuration</a> for the syntax and examples. </p><p>An example access control configuration: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">access-control.ldif</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcAccess olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" manage by * break olcAccess: to attrs=userPassword by ssf=128 self write by anonymous auth by * none olcAccess: to * by users read by * none </pre></div> <p>The above example allows local root to manage the database, requires encryption when updating the passwords, allows authenticated users read and denies everyone else access. Note the <i>by * break</i> in the first rule OpenLDAP normally stops at the first matching rule, and if the entity isn't matched in that rule, access is denied without further evaluating any other rules - unless the break rule is specified. </p> <h4><span class="mw-headline" id="Limits">Limits</span></h4> <p>For large directories, an LDAP query can take significant resources (time and bandwidth). Server-side limits on query can be enforced. See <a rel="nofollow" class="external text" href="https://www.openldap.org/doc/admin26/limits.html">Limits</a> for syntax and examples. There are version of the limit: <i>soft</i> and <i>hard</i>. The <i>soft</i> limit is the maximum resources used if the client doesn't specify a limit. This is works as a default value for clients. The <i>hard</i> limit is the maximum resources the client can request if they do specify a limit. Either or both may be specified in a limit rule. The 2 main resources that can be constrained by limits is <i>size</i> and <i>time</i> </p><p>An example limit configuration: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">limit-control.ldif</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcLimits olcLimits: dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcLimits: dn.exact="cn=replicator,dc=example,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcLimits: users time=3600 size=1000 olcLimits: * time.soft=15 time.hard=60 size.soft=10 size.hard=100 </pre></div> <p>Thew above example gives the local root and replicator users no limits, both hard and soft limits of 3600 seconds and 1000 results per query, and everyone else (like anonymous users) gets a soft limit of 15 seconds and 10 results per query, and a hard limit of 60 seconds an 100 results per query. </p> <h4><span class="mw-headline" id="Remote_RootDN_access">Remote RootDN access</span></h4> <p>The quick start creates a RootDN that can access anything, however, the RootPW is not set, meaning the RootDN cannot login. The RootPW must be set to login: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">ldap-rootpw.ldif</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcRootPW # Use a better password than this! olcRootPW: secret </pre></div> <p>Add the entries to the server: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:/// -Y EXTERNAL -f ldap-rootpw.ldif</code></div></div> <p>When proper access has been set up, remove the root password: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:/// -Y EXTERNAL<pre>dn: olcDatabase={2}mdb,cn=config changetype: modify delete: olcRootPW</pre></code></div></div> <h3><span class="mw-headline" id="Replication">Replication</span></h3> <p>LDAP uses a push/pull model for replication. The "pusher" is called the <i>producer</i> and the "puller" is called the <i>consumer</i>. A server can have both roles (servers that only consume would need to be read-only and forward writes via referrals). There are 2 sync protocols: syncrepl and delta-syncrepl. The former sends all attributes of a DN that has changed, the latter sends only the attributes of the DN that changed. delta-Syncrepl uses less traffic but requires more configuration. </p><p>The number of replication scenarios are limited only by the imagination. See <a rel="nofollow" class="external text" href="//www.openldap.org/doc/admin26/replication.html">Replication</a> in the documentation for some examples. Two will be covered here: Mirrors and Read-only replicas. </p> <h4><span class="mw-headline" id="Replication_considerations">Replication considerations</span></h4> <p>The replication process requires a Bind DN and secret. The Bind DN must have read access to the entire database and not be subject to limits in order to complete its work. Also, unlike the userPassword attribute, the secret must be in the clear. Therefore, the use of TLS is critical. </p><p>So there's 3 options for replication authentication </p> <ol><li>Use the RootDN</li> <li>Use a dedicated replication account</li> <li>Do something fancy with Kerberos/SASL</li></ol> <p>Option 1 is the easiest, but least secure. </p><p>For option 2, a dedicated replicator DN can created (Note the database need to be populated first: <a href="#Populating_the_directory">#Populating the directory</a>): </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">replicator.ldif.in</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: cn=replicator,${MY_DOMAIN_DC} changetype: add objectClass: simpleSecurityObject objectClass: organizationalRole cn: replicator description: Replication user userPassword: {CRYPT}x dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcAccess olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" manage by dn.exact="cn=replicator,${MY_DOMAIN_DC}" read by * break olcAccess: to attrs=userPassword by self write by anonymous auth by * none olcAccess: to * by * read - replace: olcLimits olcLimits: dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcLimits: dn.exact="cn=replicator,${MY_DOMAIN_DC}" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited </pre></div> <p>The above <b>olcAccess</b> rules assumes the quick start configuration is in use. If a different configuration is in use, make sure the <b>olcAccess</b> rule giving the replicator user read access is in the first rule, and don't forget the <i>by * break</i> to continue evaluating the access control rules for other entities. </p><p>Use sed to fill in the blanks, replacing <b>dc=example,dc=com</b> with your directory component information. </p> <div class="cmd-box"><div><code style="color: #4E9A06; user-select: none; font-weight: bold;">user <span style="color:royalblue;">$</span></code><code>sed -e 's/${MY_DOMAIN_DC}/dc=example,dc=com/g' < replicator.ldif.in > replicator.ldif</code></div></div> <p>Add it to the server </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -c -H ldapi:/// -Y EXTERNAL -f replicator.ldif</code></div></div> <p>Change the password (substitute your DC) </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldappasswd -H ldapi:/// -Y EXTERNAL -S cn=replicator,dc=example,dc=com</code></div></div> <p>For option 3, this requires something like Kerberos (GSSAPI) or client certificates (TLS with EXTERNAL). This is the most difficult option. Figuring out how to set this up is a exercise for the reader. </p> <h4><span id="Preparing_the_producer_for_delta-syncrepl_(Optional)"></span><span class="mw-headline" id="Preparing_the_producer_for_delta-syncrepl_.28Optional.29">Preparing the producer for delta-syncrepl (Optional)</span></h4> <p>The producer OpenLDAP must have been built with the <span style="font-family: monospace; font-size: 95%; color: MidnightBlue; white-space: nowrap;" class="plainlinks" title="External link to https://packages.gentoo.org for the overlays USE Flag."><a rel="nofollow" class="external text" href="https://packages.gentoo.org/useflags/overlays"><span style="color: MidnightBlue;">overlays</span></a><a href="/wiki/USE_flag" title="USE flag"><span style="color: grey; margin-left: 0.1em; font-size: 70% !important;" class="fa fa-flag-o fa-fw"></span></a></span> flag. The producer also needs the <i>accesslog</i> module loaded: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">mod-accesslog.ldif</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: cn=module,cn=config changetype: add objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap/openldap olcModuleLoad: accesslog.so </pre></div> <p>Add the entries to the server: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:/// -Y EXTERNAL -f mod-accesslog.ldif</code></div></div> <p>Create the directories for the access log and fix the owner: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>( umask 077 && mkdir /var/lib/openldap-data/accesslog ) </code></div><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>chown -R ldap:ldap /var/lib/openldap-data/accesslog</code></div></div> <p>Next, another database needs to be created, along with a syncrepl overlay for it. The accesslog over is also added to the main database: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">deltasync-producer.ldif</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: olcDatabase=mdb,cn=config changetype: add objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbDirectory: /var/lib/openldap-data/accesslog olcSuffix: cn=accesslog olcDbIndex: default eq olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart,reqDN olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" manage # Delete this comment and uncomment the next lines if a dedicated replicator account is in use # by dn.exact="cn=replicator,dc=example,dc=com" read #olcLimits: dn.exact="cn=replicator,dc=example,dc=com" # time.soft=unlimited time.hard=unlimited # size.soft=unlimited size.hard=unlimited dn: olcOverlay=syncprov,olcDatabase={3}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE dn: olcOverlay=accesslog,olcDatabase={2}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectCLass: olcAccessLogConfig olcOverlay: accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes olcAccessLogSuccess: TRUE # Scan the data once a day and purge anything older than a week olcAccessLogPurge: 07+00:00 01+00:00 </pre></div> <p>Add the entries to the server: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:/// -Y EXTERNAL -f deltasync-producer.ldif</code></div></div> <h4><span class="mw-headline" id="Mirroring_configuration">Mirroring configuration</span></h4> <p>Since each server is both a producer and consumer, the configuration is almost exactly the same for each. </p><p>First, the producer part. Configure the Server ID and an LDAP overlay: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">mirror-producer.ldif.in</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: cn=config changetype: modify add: olcServerID # An arbitrary, unique 3 digit hexadecimal value olcServerID: ${MY_SERVER_ID} ldap://${MY_SERVER_NAME} dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: entryCSN,entryUUID eq # If the quick start configuration wasn't used, this may be required too # olcDbIndex: objectClass eq dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpCheckpoint: 100 10 olcSpSessionlog: 100 </pre></div> <p>Use sed to fill in the blanks, substituting <b>001</b> with desired server ID, and <b>ldap1.example.com</b> with the producer's LDAP FQDN. </p> <div class="cmd-box"><div><code style="color: #4E9A06; user-select: none; font-weight: bold;">user <span style="color:royalblue;">$</span></code><code>sed -e 's/${MY_SERVER_ID}/001/g' -e 's/${MY_SERVER_NAME}/ldap1.example.com/g' < mirror-producer.ldif.in > mirror-producer.ldif</code></div></div> <p>Add the entries to the server: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:/// -Y EXTERNAL -f mirror-producer.ldif</code></div></div> <p>Second, the consumer part. Configure replication: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">mirror-consumer.ldif.in</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcSyncrepl # The RID value is arbitrary olcSyncrepl: rid=001 provider=ldap://${MY_SERVER_NAME} searchbase="${MY_DOMAIN_DC}" bindmethod=simple binddn="cn=replicator,${MY_DOMAIN_DC}" credentials=secret type=refreshAndPersist retry="60 +" starttls=critical # Delete this comment and uncomment out the next 2 lines if using delta-syncrepl # logbase="cn=accesslog" # logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" - add: olcMultiProvider olcMultiProvider: TRUE </pre></div> <p>Use sed to fill in the blanks, replacing <b>dc=example,dc=com</b> with your directory component information, and <b>ldap.example.com</b> with the producer's LDAP FQDN. </p> <div class="cmd-box"><div><code style="color: #4E9A06; user-select: none; font-weight: bold;">user <span style="color:royalblue;">$</span></code><code>sed -e 's/${MY_SERVER_NAME}/ldap2.example.com/g' -e 's/${MY_DOMAIN_DC}/dc=example,dc=com/g' < mirror-consumer.ldif.in > mirror-consumer.ldif</code></div></div> <p>If using delta-syncrepl, follow the instructions in the LDIF file. Also, substitute the values of <b>binddn</b> and <b>credentials</b> with the correct values. Load it onto the server: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:/// -Y EXTERNAL -f mirror-consumer.ldif</code></div></div> <p>Then repeat for the other server, choosing a new <i>olcServerID</i> and swapping the URLs for the producer and consumer. </p><p>It is possible to extend this to multiple mirrors, such a configuration is called "<a rel="nofollow" class="external text" href="//www.openldap.org/doc/admin26/replication.html#N-Way%20Multi-Provider%20Replication">N-Way Multi-Provider Replication</a>". Its basically the same as mirroring, except there's multiple <b>olcSyncrepl</b> entries - one of each other server. </p> <h4><span class="mw-headline" id="Read-only_replicas_configuration">Read-only replicas configuration</span></h4> <p>On the producer configure as follows: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">producer.ldif.in</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: cn=config changetype: modify add: olcServerID # An arbitrary, unique 3 digit hexadecimal value olcServerID: ${MY_SERVER_ID} ldap://${MY_SERVER_NAME} dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: entryCSN,entryUUID eq # If the quick start configuration wasn't used, this may be required too # olcDbIndex: objectClass eq dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpCheckpoint: 100 10 olcSpSessionlog: 100 </pre></div> <p>Use sed to fill in the blanks, substituting <b>001</b> with desired server ID, and <b>ldap1.example.com</b> with the producer's LDAP FQDN. </p> <div class="cmd-box"><div><code style="color: #4E9A06; user-select: none; font-weight: bold;">user <span style="color:royalblue;">$</span></code><code>sed -e 's/${MY_SERVER_ID}/001/g' -e 's/${MY_SERVER_NAME}/ldap1.example.com/g' < producer.ldif.in > producer.ldif</code></div></div> <p>Add the entries to the server: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:/// -Y EXTERNAL -f producer.ldif</code></div></div> <p>On the consumers, configure as follows: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">consumer.ldif.in</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcSyncrepl # The RID value is arbitrary olcSyncrepl: rid=001 provider=ldap://${MY_SERVER_NAME} searchbase="${MY_DOMAIN_DC}" bindmethod=simple binddn="cn=replicator,${MY_DOMAIN_DC}" credentials=secret type=refreshAndPersist retry="60 +" starttls=critical # Delete this comment and uncomment out the next 2 lines if using delta-syncrepl # logbase="cn=accesslog" # logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" - add: olcUpdateRef olcUpdateRef: ldap://${MY_SERVER_NAME} </pre></div> <p>Use sed to fill in the blanks, replacing <b>dc=example,dc=com</b> with your directory component information, and <b>ldap.example.com</b> with the producer's LDAP FQDN. </p> <div class="cmd-box"><div><code style="color: #4E9A06; user-select: none; font-weight: bold;">user <span style="color:royalblue;">$</span></code><code>sed -e 's/${MY_SERVER_NAME}/ldap.example.com/g' -e 's/${MY_DOMAIN_DC}/dc=example,dc=com/g' < consumer.ldif.in > consumer.ldif</code></div></div> <p>If using delta-syncrepl, follow the instructions in the LDIF file. Also, substitute the values of binddn and credentials with the correct values. Load it onto the server: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:/// -Y EXTERNAL -f consumer.ldif</code></div></div> <p>This is almost the same as mirroring, but without the <b>olcMultiProvider</b> entry and with an added <b>olcUpdateRef</b> for the database. </p> <h2><span class="mw-headline" id="Populating_the_directory">Populating the directory</span></h2> <p>Unless the server is a replication consumer of an already populated producer, the directory itself is still empty. The initial entry must be created or imported: </p> <h3><span class="mw-headline" id="Populating_the_directory_via_creation">Populating the directory via creation</span></h3> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">populate.ldif.in</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: ${MY_DOMAIN_DC} changetype: add objectClass: dcObject objectClass: organization o: TO FILLED IN BY LDAP ADMIN dc: ${MY_DOMAIN} dn: cn=Manager,${MY_DOMAIN_DC} changetype: add objectClass: organizationalRole cn: Manager </pre></div> <p>Use sed to fill in the blanks, replacing <b>dc=example,dc=com</b> with your directory component information and <b>example</b> with the first part of the domain name. </p> <div class="cmd-box"><div><code style="color: #4E9A06; user-select: none; font-weight: bold;">user <span style="color:royalblue;">$</span></code><code>sed -e 's/${MY_DOMAIN_DC}/dc=example,dc=com/g' -e 's/${MY_DOMAIN}/example/g' < populate.ldif.in > populate.ldif</code></div></div> <p>Don't forget the change the value of the <i>o</i> attribute to something suitable (either the name of the organization, or the FQDN of the domain if nothing in particular is suitable). Load it onto the server: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:/// -Y EXTERNAL -f populate.ldif</code></div></div> <p>Once the initial population is done, the directory can be loaded with data. </p> <h3><span class="mw-headline" id="Populating_the_directory_via_import">Populating the directory via import</span></h3> <p>The old directory needs to be exported with all the internal attributes. For OpenLDAP, the <b>slapcat</b> command on the old server will produce a suitable output. Copy the LDIF file to the new server, shut down OpenLDAP if it's still running, and import the old database with <b>slapadd</b>. The database ownership will need to be updated: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>chown -R ldap:ldap /var/lib/openldap-data</code></div></div> <p>Then start up OpenLDAP. </p> <h2><span class="mw-headline" id="Adminstration">Adminstration</span></h2> <h3><span class="mw-headline" id="Backing_up_the_database">Backing up the database</span></h3> <p>To backup the database, use <b>slapcat</b> on the main database (if delta-syncrepl is in use, backup the accesslog database as well). Typically this would be run by a cron jon or systemd timer. The backup should be considered sensitive. </p> <h3><span class="mw-headline" id="Clearing_all_schemas">Clearing all schemas</span></h3> <p>Removing schemas is not a simple task. Slapd must be <b>offline</b> and the unwanted schemas must be removed with <b>slapmodify</b> using a <i>delete</i> operation. Sometimes OpenLDAP will refuse to do so. Because the config files should never be changed manually, the best way to continue is to delete all schemas and then re-add the desired ones. To do that, <b>slapcat</b> can be used to produce a filtered LDIF, then the LDIF manually edited to re-include the desired schemas. </p><p>With slapd <b>offline</b>, issue the following <b>slapcat</b> command: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>slapcat -n 0 -H 'ldap:///???(!(entryDN:dnSubtreeMatch:=cn=schema,cn=config))' > new_schemas.ldif</code></div></div> <p>Insert the following blocks after the first <b>cn=config</b> block </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">new_schemas.ldif</code></strong><strong>(Insert after first <i>cn=config</i> block)</strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema # Required. Note there should be a blank line before and after every include statement include: file:///etc/openldap/schema/core.ldif # Include schema dependencies first then the desired schema include: file:///etc/openldap/schema/cosine.ldif include: file:///etc/openldap/schema/nis.ldif </pre></div> <p>Backup the old directory, create a new empty config directory and add the new LDIF configuration: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>mv /etc/openldap/slapd.d/ /etc/openldap/slapd.d.old </code></div><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>( umask 077 && mkdir /etc/openldap/slapd.d ) </code></div><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>slapadd -n 0 -l new_schemas.ldif -F /etc/openldap/slapd.d </code></div><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>chown -R ldap:ldap /etc/openldap/slapd.d </code></div><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>slaptest </code></div><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>slapschema -n 2</code></div></div> <p>If <b>slaptest</b> fails be sure the file above was inserted in the to correct place and the required newlines are there. If <b>slapschema</b> fails, either add the missing schema. If the schema is to be decommsioned, the incompatible attributes will have to be removed from the directory. The server might not start until the problem is fixed; at the very least the DNs with attributes without a schema will be inaccessible. </p> <h3><span class="mw-headline" id="Open_file_limits">Open file limits</span></h3> <p>By default, processes are soft limited to 1024 descriptors, and hard limited to 4096 descriptors. If slapd starts showing the "Too many open files" message, the limit has been exceeded. Increasing the limit depends on the init system: </p> <h4><span class="mw-headline" id="OpenRC_3">OpenRC</span></h4> <p><b>start-stop-daemon</b> sets the limits for the process using the user listed in pam_limits. Either edit <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/security/pam_limits.conf</span> or add a file in the <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/security/limits.d</span> directory with the following lines, replacing <b>8192</b> with the desired value: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/etc/security/pam_limits.conf</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>ldap soft nofile 8192 ldap hard nofile 8192 </pre></div> <p>Slapd must be restarted for changes to take effect: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>rc-service slapd restart</code></div></div> <h4><span class="mw-headline" id="Systemd_3">Systemd</span></h4> <p>Systemd itself controls the limits of service, and the limits can be increased by editing the config file. Append the following <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/systemd/system/slapd.service.d/00gentoo.conf</span>, replacing <b>8192</b> with the desired value: </p> <div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/etc/security/pam_limits.conf</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>[Service] LimitNOFILE=8192 </pre></div> <p>Slapd must be restarted for changes to take effect: </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>systemctl restart slapd</code></div></div> <h2><span class="mw-headline" id="Troubleshooting">Troubleshooting</span></h2> <h3><span class="mw-headline" id="Turning_up_the_log_level">Turning up the log level</span></h3> <p>To turn up the log level, change the value of <b>olcLogLevel</b>. The <a rel="nofollow" class="external text" href="//www.openldap.org/doc/admin26/slapdconf2.html#cn=config">admin guide</a> lists the possible values </p> <div class="cmd-box"><div><code style="color: #ef2929; user-select: none; font-weight: bold;">root <span style="color:royalblue;">#</span></code><code>ldapmodify -H ldapi:/// -Y EXTERNAL<pre>dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: 1023</pre></code></div></div> <p>Once the problem has been fixed. it can changed back to <i>768</i> using the above construction. </p> <h2><span class="mw-headline" id="See_also">See also</span></h2> <ul><li><a rel="nofollow" class="external text" href="//www.openldap.org/doc/admin26/index.html">OpenLDAP 2.6 Administrator's Guide</a></li></ul>    </div></div><div class="printfooter"> Retrieved from "<a dir="ltr" href="https://wiki.gentoo.org/index.php?title=OpenLDAP_Server&oldid=1339058">https://wiki.gentoo.org/index.php?title=OpenLDAP_Server&oldid=1339058</a>"</div> <div id="catlinks" class="catlinks" data-mw="interface"><div id="mw-normal-catlinks" class="mw-normal-catlinks"><a href="/wiki/Special:Categories" title="Special:Categories">Categories</a>: <ul><li><a href="/wiki/Category:Server_and_Security" title="Category:Server and Security">Server and Security</a></li><li><a href="/wiki/Category:Authentication" title="Category:Authentication">Authentication</a></li></ul></div></div> </div> </div> </div> </div> </div> <footer> <div class="container"> <div class="row"> <div class="col-xs-12 col-md-offset-2 col-md-7"> <div class="spacer"></div> <ul id="f-list"> <li id="lastmod>"> This page was last edited on 10 February 2025, at 17:16.</li><li id="privacy>"><a href="/wiki/Gentoo_Wiki:Privacy_policy" class="mw-redirect" title="Gentoo Wiki:Privacy policy">Privacy policy</a></li><li id="about>"><a href="/wiki/Gentoo_Wiki:About" title="Gentoo Wiki:About">About Gentoo Wiki</a></li><li id="disclaimer>"><a href="/wiki/Gentoo_Wiki:General_disclaimer" title="Gentoo Wiki:General disclaimer">Disclaimers</a></li> </ul> </div> <div class="col-xs-12 col-md-3">  </div> </div> <div class="row"> <div class="col-xs-3 col-md-2"> <ul class="footerlinks three-icons"> <li><a href="https://twitter.com/gentoo" title="@Gentoo on Twitter"><span class="fa fa-twitter fa-fw"></span></a></li> <li><a href="https://www.facebook.com/gentoo.org" title="Gentoo on Facebook"><span class="fa fa-facebook fa-fw"></span></a></li> <li></li> </ul> </div> <div class="col-xs-9 col-md-9"> <strong>© 2001–2025 Gentoo Authors</strong><br /> <small> Gentoo is a trademark of the Gentoo Foundation, Inc. and of F枚rderverein Gentoo e.V. The contents of this document, unless otherwise expressly stated, are licensed under the <a href="https://creativecommons.org/licenses/by-sa/4.0/" rel="license">CC-BY-SA-4.0</a> license. The <a href="https://www.gentoo.org/inside-gentoo/foundation/name-logo-guidelines.html">Gentoo Name and Logo Usage Guidelines</a> apply. </small> </div> </div> </div> </footer> <script> function defer(method) { if (window.jQuery) { method(); } else { setTimeout(function() { defer(method) }, 50); } } defer(function() { mw.loader.load( 'https://assets.gentoo.org/tyrian/bootstrap.min.js'); }); </script> <script>(RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgPageParseReport":{"smw":{"limitreport-intext-parsertime":0.001},"limitreport":{"cputime":"0.178","walltime":"0.192","ppvisitednodes":{"value":7568,"limit":1000000},"postexpandincludesize":{"value":124206,"limit":4194304},"templateargumentsize":{"value":55978,"limit":4194304},"expansiondepth":{"value":11,"limit":40},"expensivefunctioncount":{"value":2,"limit":150},"unstrip-depth":{"value":0,"limit":20},"unstrip-size":{"value":26485,"limit":5000000},"timingprofile":["100.00% 111.891 1 -total"," 28.72% 32.131 34 Template:RootCmd"," 27.80% 31.102 45 Template:GenericCmd"," 25.65% 28.703 35 Template:PreBox"," 20.37% 22.795 26 Template:FileBox"," 10.64% 11.908 9 Template:CodeBox"," 9.02% 10.093 11 Template:Cmd"," 8.79% 9.830 54 Template:GenericCmd/Line"," 7.50% 8.395 9 Template:USE"," 4.40% 4.924 298 Template:="]},"cachereport":{"timestamp":"20250227014922","ttl":86400,"transientcontent":false}}});mw.config.set({"wgBackendResponseTime":266});});</script></body></html>