Getting back to use openldap

While trying to get ldap torture back in shape, I had to learn again how to get slapd up and running with a reasonable configs. Here's a few things I had long forgotten and I have learned this morning:

  1. The order of the statements in slapd.conf is relevant. Don't be naive, even though the config looks like a normal key value store, some keys can be repeated multiple times (like backend, or database), and can only appear before / after other statements.
  2. My good old example slapd.conf file, no longer worked with slapd. Some of it is because the setup is just different, some of it because I probably had a few errors to being with, some of it is because a few statements moved around or are no longer valid. See the changes I had to make.
  3. Recent versions of slapd support having configs in the database itself, or at least represented in ldiff format and within the tree. Many distros ship slapd with the new format. To convert from the old format to the new one, you can use:

    slapd -f slapd.conf -F /etc/ldap/slapd.d
    
  4. I had long forgotten how quiet slapd can be, even when things go wrong. Looking in /var/log/syslog might often not be enough. In facts, my database was invalid, configs had error, and there was very little indication of the fact that when I started slapd, it was sitting there idle because it couldn't really start. To debug errors, I ended up running it with:

    slapd -d Any -f slapd.conf
    
  5. slapd will not create the initial database by itself. To do so, I had to use:

    /usr/sbin/slapcat -f slapd.conf < base.ldiff
    

    with base.ldiff being something like this.

  6. Even if you set no password, ldapsearch with SASL authentication will likely ask you. It's easy to fix, though: just pass the -x parameter to go back to simple authentication, like with:

    ldapsearch -x -H "ldap://127.0.0.1:9009/" -b dc=test,dc=it
    

    Note that I had slapd run on a non standard port for experimentation purposes.

  7. Let's say you use -h instead of -H for ldapsearch because your memory is flaky, but you specify the parameter like -H would expect:

    ldapsearch -x -h "ldap://127.0.0.1:9009/" -b dc=test,dc=it
    

The command will silently fail. Eg, it will accept -h as "valid" parameter, but still report "unable to connect". Really, -h takes a simple hostname, like 127.0.0.1, but will not fail in a case like above. Took me a few minutes to realize the mistake.

Let's see what the next roadblocks will be ...


Other posts

  • Speeding up the Carbon X1 Trackpad Let's say you have a Carbon X1 5th gen . Let's say your trackpoint is an TPPS/2 Elan TrackPoint (and you can check this by running xinput |grep -i Tr...
  • Docker networking on Linux When you run a an application under docker, you have a few different mechanisms you can choose from to provide networking connectivity. This article ...
  • Resizing an encrypted filesystem with LVM on Linux I recently had to increase the size of an encrypted partition on my Debian server. I have been a long time user of LVM and dm-crypt and tried similar ...
  • Debian releases - stable, testing, unstable When talking about using Debian, one of the first objections people will raise is the fact that it only has "old packages", it is not updated often en...
  • SSL Certificates, Debian, and Java Recently, I tried to run a Java application on my Debian workstation that needed to establish SSL / HTTPs connections. But... as soon as a connection...
Technology/System Administration