1

slapd deprecated slapd.conf, prefer ldif conf, slapd -F dir to use the new ldif conf, but the dir must follow the ldif structure

  • cn=config.ldif
  • cn=config/
    • cn=schema.ldif
    • cn=schema/

is it possible to make the initial ldif config in one file like slapd.ldif ?

wener
  • 113
  • 3

1 Answers1

1

Any LDIF file can include multiple objects. For example, if I want to create an organizationalUnit and a couple of organizationalPerson objects, I can write:

dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users

dn: cn=user1,ou=users,dc=example,dc=com
objectClass: organizationalPerson
objectClass: simpleSecurityObject
cn: user1
sn: user1
userPassword: {SSHA}lNnn048f5TFMqjb/hWaMibYm5LavDFtK

dn: cn=user2,ou=users,dc=example,dc=com
objectClass: organizationalPerson
objectClass: simpleSecurityObject
cn: user2
sn: user2
userPassword: {SSHA}vNEUo1M42aG9w4p1zwMkjY2+7xUzeOeF

Since recent versions of slapd manage configuration as an LDAP database, we can submit our configuration as LDIF files, just like the above. For example, the following LDIF file would load the mdb backend and then configure an MDB database for dc=example,dc=com:

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/openldap
olcModuleLoad: back_mdb.so

dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=example,dc=com
olcRootDN: cn=manager,dc=example,dc=com
olcRootPW:: c2VjcmV0
olcDbDirectory: /var/lib/openldap/example.com
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

I like to initialize slapd like this:

  1. Create a stub /etc/openldap/slapd.conf.init:

    pidfile /var/lib/openldap/run/slapd.pid

database config
access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

    The ACL in the above configuration grants manage access to the system root user when accessing slapd via an ldapi:// socket. This is necessary to provide you with write access to the cn=config database.

  2. Use that to initialize your slap.d configuration:

    slaptest -f slapd.conf.init -F slapd.d

  3. Start slapd, and make sure you enable the ldapi:// socket:

    slapd ... -h 'ldap:// ldaps:// ldapi://'

  4. Use ldapadd with EXTERNAL authentication to add your LDIF based configuration:

    ldapadd -Y EXTERNAL -H ldapi:// -f configuration.ldif

Throughout all of this, you'll need to pay attention to file/directory ownership: e.g., if you're running slapd as the ldap user, you'll need to ensure the ldap user is able write to the slapd.d directory.

Update: Here is an example that:

  • Builds a custom slapd image designed to be initialized with LDIF files provided at runtime
  • An example configuration that deploys the image into kubernetes and mounts a single ConfigMap to initialize it.
larsks
  • 41,276
  • 13
  • 117
  • 170
  • So the answer is no, the only solution is convert from conf, I want to use the single ldif so I can mount it from a `ConfigMap`, if this is impossible, have to stick with the slapd.conf. – wener Aug 19 '22 at 08:56
  • 1
    No, the answer is "yes". You *can* use a single `ConfigMap` with this model. You just need to build your image so that it initializes itself with a minimal config before processing the LDIF. See my update, which includes an example that does exactly this. – larsks Aug 19 '22 at 11:01