While trying to get ldap torture back in shape, I had to learn again how to get
slapd up and running with a reasonable configs. Here's a few things I had long forgotten and I have learned this morning:
slapd.confis relevant. Don't be naive, even though the config looks like a normal key value store, some keys can be repeated multiple times (like backend, or database), and can only appear before / after other statements.
slapd. Some of it is because the setup is just different, some of it because I probably had a few errors to being with, some of it is because a few statements moved around or are no longer valid. See the changes I had to make.
Recent versions of
slapd support having configs in the database itself, or at least represented in ldiff format and within the tree. Many distros ship
slapd with the new format. To convert from the old format to the new one, you can use:
slapd -f slapd.conf -F /etc/ldap/slapd.d
I had long forgotten how quiet
slapd can be, even when things go wrong. Looking in
/var/log/syslog might often not be enough. In facts, my database was invalid, configs had error, and there was very little indication of the fact that when I started slapd, it was sitting there idle because it couldn't really start. To debug errors, I ended up running it with:
slapd -d Any -f slapd.conf
slapd will not create the initial database by itself. To do so, I had to use:
/usr/sbin/slapcat -f slapd.conf < base.ldiff
base.ldiff being something like this.
[ ... ]
Back in 2004 I was playing a lot with
OpenLDAP. Getting it to run reliably turned out more challenging than I had originally planned for:
DB_CONFIGfile in the top level directory of the database. Not a feature of openldap, rather a feature of BerkeleyDB.
HDB, both based on BerkeleyDB. The first, older, did not support operations like 'movedn', which had been standardized in the LDAP protocol for a while, and a few other features that
HDBthough, was marked as experimental. During our use, we found several bugs.
[ ... ]