Openldap

From Federal Burro of Information
Revision as of 13:38, 21 April 2015 by David (talk | contribs) (Created page with "==cn=config== We use the cn=config configuration option in all of Pandora. Ostensibly, since this means the configuration is stored in the ldap database itself, changes can be...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

cn=config

We use the cn=config configuration option in all of Pandora. Ostensibly, since this means the configuration is stored in the ldap database itself, changes can be made without restarting the server. What this means in practice is that we no longer have a specific configuration file, we now have a bunch of ldif files in the cn=config directory.

To make a change, all you have to do is make the change in the ldif file and restart slapd.

If you need to make a change without restarting the server, use ldapmodify to change the cn=config database. I haven't done this, but it is possible and should be documented here when someone does it.


Dumping/Restoring Configs

Warning Make sure slapd has been stopped before performing any slap* commands ( slapcat, slapadd etc... )

To dump the cn=config database into an ldif file, use the following.

slapcat -n0 -F /etc/openldap/slapd.d > /tmp/config-in-portable-format.ldif

To restore, make sure the /etc/openldap/slapd.d is empty ( backup the old directory in case something goes wrong ). Make sure that the directory exists.

slapadd -n0 -F /etc/openldap/slapd.d -l /tmp/config-in-portable-format.ldif

New Server

The easiest way build out a server is to bring over an ldif file dumped from another server. Once you have imported it, LDAP nullifies the password hash so you will have to regenerate it. Its good practice to take a backup of the slapd.d directory from clean state, however its not strictly necessary since its part of the default install.

Changing the admin passwords

To change the administrative password, you have to generate a hash and then add it into the online configuration database.

First create a new password hash like so:

[root@ugo-dsp-ldap-01 ~]# slappasswd
New password: 
Re-enter new password: 
{SSHA}dQ1XbAEnEjqiRhWQ2NlytCjLKTEVteVy

There are two different admin accounts for OpenLDAP. One is the Manager which gives admin access to the directory and the other is for cn=config that allows you to modify OpenLDAP's configuration with ldifs (or an ldap editor like apache directory studio).

To modify the manager edit /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif and look for these two lines:

olcRootDN: cn=Manager,dc=ugo-wallet,dc=com
olcRootPW: {SSHA}e1NTSEF9OE9QWWhJbTFTNUhiU3l5WU53b25CcFJHNnRCanFwQjg=

Replace olcRootPW's entry with your new hash.

To change cn=config's password edit /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif and modify olcRootPW entry.