Openldap
cn=config
We use the cn=config configuration option in all of Pandora. Ostensibly, since this means the configuration is stored in the ldap database itself, changes can be made without restarting the server. What this means in practice is that we no longer have a specific configuration file, we now have a bunch of ldif files in the cn=config directory.
To make a change, all you have to do is make the change in the ldif file and restart slapd.
If you need to make a change without restarting the server, use ldapmodify to change the cn=config database. I haven't done this, but it is possible and should be documented here when someone does it.
Dumping/Restoring Configs
Warning Make sure slapd has been stopped before performing any slap* commands ( slapcat, slapadd etc... )
To dump the cn=config database into an ldif file, use the following.
slapcat -n0 -F /etc/openldap/slapd.d > /tmp/config-in-portable-format.ldif
To restore, make sure the /etc/openldap/slapd.d is empty ( backup the old directory in case something goes wrong ). Make sure that the directory exists.
slapadd -n0 -F /etc/openldap/slapd.d -l /tmp/config-in-portable-format.ldif
New Server
The easiest way build out a server is to bring over an ldif file dumped from another server. Once you have imported it, LDAP nullifies the password hash so you will have to regenerate it. Its good practice to take a backup of the slapd.d directory from clean state, however its not strictly necessary since its part of the default install.
Changing the admin passwords
To change the administrative password, you have to generate a hash and then add it into the online configuration database.
First create a new password hash like so:
[root@server-01 ~]# slappasswd New password: Re-enter new password: {SSHA}XXXXXXXXXXXX
There are two different admin accounts for OpenLDAP. One is the Manager which gives admin access to the directory and the other is for cn=config that allows you to modify OpenLDAP's configuration with ldifs (or an ldap editor like apache directory studio).
To modify the manager edit /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif and look for these two lines:
olcRootDN: cn=Manager,dc=domain,dc=com olcRootPW: {SSHA}XXXX=
Replace olcRootPW's entry with your new hash.
To change cn=config's password edit /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif and modify olcRootPW entry.
Setting up audit logging
This is a work in progress. We've got it working in a client but there are some unanswered questions:
- who made the change?
- how do you control changes are recorded ? all some writes? reads?
- how big will the log grow? can I rotate the log out hot ?
The how so far
create a file:
auditlog_setup_module.ldif
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: auditlog
then add it (run this command as root so that -Y EXTERNAL works):
ldapadd -Y EXTERNAL -H ldapi:/// -f auditlog_setup_module.ldif
create another file:
auditlog_setup_overlay.ldif
dn: olcOverlay=auditlog,olcDatabase={2}bdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcAuditLogConfig olcOverlay: auditlog olcAuditlogFile: /tmp/auditlog.ldif
note that we figured out that olcDatabase={2} is the database that has our important user data in it.
then add it:
ldapadd -Y EXTERNAL -H ldapi:/// -f auditlog_setup_overlay.ldif
then restart ldap and tail you audit file.
backup script
#!/bin/sh DATE=`date +%Y%m%d%H%M%S` MAXAGE=15 echo Ldap backup on ${HOSTNAME} at ${DATE} echo removing old filess MAXAGE is ${MAXAGE} /bin/find /home/ldap/backup/ -mtime +${MAXAGE} -exec ls -la {} \; echo "Backing up dc=domain,dc=com" /usr/sbin/slapcat -f /etc/openldap/slapd.conf -b "dc=domain,dc=com" > /home/ldap/backup/ldap..${DATE}.ldif && gzip /home/ldap/backup/ldap.domain.com.${DATE}.ldif ls -la /home/ldap/backup/ldap.domain.com.${DATE}.ldif.gz echo "Backing up cn=Config" /usr/sbin/slapcat -n0 > /home/ldap/backup/ldap.config.${DATE}.ldif gzip /home/ldap/backup/ldap.config.${DATE}.ldif ls -la /home/ldap/backup/ldap.config.${DATE}.ldif.gz