Skip to content

OpenLDAP Quick Tips: Switch to the dynamic config backend (cn=config)

OpenLDAPOpen SourceSuretec Hi All,

Here's my 12th tip in the "OpenLDAP Quick Tips" series:

"You want to switch from slapd.conf to the configuration backend to slapd":

The config backend is backward compatible with the older slapd.conf(5)
file but provides the ability to change the configuration dynamically
at runtime. If slapd is run with only a slapd.conf file dynamic changes
will be allowed but they will not persist across a server restart.
Dynamic changes are only saved when slapd is running from a slapd.d
configuration directory.

The following should be getting you very excited:

provides the ability to change the configuration dynamically
at runtime.

"What, I don't need to restart my directory server if I make config changes?"

Not only that, but you can do cool things like promoting/switching a slave directory server to a master server on the fly! (that's one for another tip though).

To start, we will simply show you how to convert an existing fully configured slapd.conf to the slapd.d format.

It's worth mentioning if you missed it above, but you can already do this if you have the cn=config user password set, as changes must be made via that user. When you make a config change over LDAP[?], it will take affect but not on a restart, as slapd.conf gets read again. This is usefull though if you always want to start from a known config and just make runtime changes when needed.

Here, try this:

[ghenry@suretec ]$ ldapsearch -x -b 'cn=config' # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: slapd.conf olcConfigDir: slapd.d olcArgsFile: /usr/local/var/run/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2

Before we convert, add this to the bottom of your existing slapd.conf file because you can't make changes with out a password configured (use slappasswd later to encrypt the password):

# Dynamic Config database config rootpw secret

To convert to the new format do:

cd /usr/local/etc/openldap mkdir slapd.d /usr/local/sbin/slaptest -f /usr/local/etc/openldap/slapd.conf -F slapd.d

The directory created looks like:

[ghenry@suretec ]$ ls slapd.d/ cn=config  cn=config.ldif

You can edit those files prior to startup if you like also, but you have now converted to the new format.

If you created the slapd.d directory in the default place, then slapd will automatically ignore the old slapd.conf and use the new config backend slapd.d. This is clearly stated in the man page:

-F slapd-config-directory
Specifies the slapd configuration directory. The default is
/usr/local/etc/openldap/slapd.d. If both -f and -F are speci-
fied, the config file will be read and converted to config
directory format and written to the specified directory. If
neither option is specified, slapd will attempt to read the
default config directory before trying to use the default config
file. If a valid config directory exists then the default config
file is ignored. All of the slap tools that use the config
options observe this same behavior.

You can also just point slapd as normal to the new directory with the -F option.

In another tip we will talk about making changes to this backend using normal LDAP operations.



If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.


The Suretec Blog on : OpenLDAP Quick Tips: Change loglevels on the fly!

Show preview
Hi All, Here's the 15th tip in the &quot;OpenLDAP Quick Tips&quot; series: &quot;You want to change your OpenLDAP loglevel to get more information, but can't take your directory server offline&quot;: If you've been following the OpenLDAP Quick Tips series, you would


Display comments as Linear | Threaded

Ayman Tahboub on :

*i was wondering, does the RTC also support dynamic schema changes? adding or extending schema under cn=config , or even creating new cn=test,cn=schema,cn=config? the creation will work, but it seems that you need to restart the slapd for this change to become visible..
or what do you think?
i am using openldap 2.4.17, on solaris 10 x86

thanks a lot

Gavin Henry on :

*Yes, it should work. The config entries are all file system based, but do run from memory also.

Please file an ITS for this and mention the steps you done to test this. You shouldn't need a restart:

Also please test on 2.4.21


Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
Pavatar, Gravatar, Favatar, MyBlogLog, Pavatar author images supported.
Form options

Warning: Use of undefined constant CHARSET_NATIVE - assumed 'CHARSET_NATIVE' (this will throw an Error in a future version of PHP) in /home/suretecsystems/www/blog/ on line 182