OpenLDAP Quick Tips: Switch to the dynamic config backend (cn=config)
Hi All,
Here's my 12th tip in the "OpenLDAP Quick Tips" series:
"You want to switch from slapd.conf to the configuration backend to slapd":
The following should be getting you very excited:
Here's my 12th tip in the "OpenLDAP Quick Tips" series:
"You want to switch from slapd.conf to the configuration backend to slapd":
The config backend is backward compatible with the older slapd.conf(5)
file but provides the ability to change the configuration dynamically
at runtime. If slapd is run with only a slapd.conf file dynamic changes
will be allowed but they will not persist across a server restart.
Dynamic changes are only saved when slapd is running from a slapd.d
configuration directory.
The following should be getting you very excited:
provides the ability to change the configuration dynamically
at runtime.
"What, I don't need to restart my directory server if I make config changes?"
Not only that, but you can do cool things like promoting/switching a slave directory server to a master server on the fly! (that's one for another tip though).
To start, we will simply show you how to convert an existing fully configured slapd.conf to the slapd.d format.
It's worth mentioning if you missed it above, but you can already do this if you have the cn=config user password set, as changes must be made via that user. When you make a config change over LDAP[?], it will take affect but not on a restart, as slapd.conf gets read again. This is usefull though if you always want to start from a known config and just make runtime changes when needed.
Here, try this:
CODE:
[ghenry@suretec ]$ ldapsearch -x -b 'cn=config'
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: slapd.conf
olcConfigDir: slapd.d
olcArgsFile: /usr/local/var/run/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
Before we convert, add this to the bottom of your existing slapd.conf file because you can't make changes with out a password configured (use slappasswd later to encrypt the password):
CODE:
# Dynamic Config
database config
rootpw secret
To convert to the new format do:
CODE:
cd /usr/local/etc/openldap
mkdir slapd.d
/usr/local/sbin/slaptest -f /usr/local/etc/openldap/slapd.conf -F slapd.d
The directory created looks like:
CODE:
[ghenry@suretec ]$ ls slapd.d/
cn=config cn=config.ldif
You can edit those files prior to startup if you like also, but you have now converted to the new format.
If you created the slapd.d directory in the default place, then slapd will automatically ignore the old slapd.conf and use the new config backend slapd.d. This is clearly stated in the man page:
-F slapd-config-directory
Specifies the slapd configuration directory. The default is
/usr/local/etc/openldap/slapd.d. If both -f and -F are speci-
fied, the config file will be read and converted to config
directory format and written to the specified directory. If
neither option is specified, slapd will attempt to read the
default config directory before trying to use the default config
file. If a valid config directory exists then the default config
file is ignored. All of the slap tools that use the config
options observe this same behavior.
You can also just point slapd as normal to the new directory with the -F option.
In another tip we will talk about making changes to this backend using normal LDAP operations.
Thanks,
Gavin.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
P.S. For direct access to this section, you can click OpenLDAP Quick Tips.
Trackbacks
The Suretec Blog on : OpenLDAP Quick Tips: Change loglevels on the fly!
Show preview
Hi All, Here's the 15th tip in the "OpenLDAP Quick Tips" series: "You want to change your OpenLDAP loglevel to get more information, but can't take your directory server offline": If you've been following the OpenLDAP Quick Tips series, you would
Comments
Display comments as Linear | Threaded
Ayman Tahboub on :
or what do you think?
i am using openldap 2.4.17, on solaris 10 x86
thanks a lot
/ayman
Gavin Henry on :
Please file an ITS for this and mention the steps you done to test this. You shouldn't need a restart:
http://www.openldap.org/its
Also please test on 2.4.21
Thanks.