Ted Johnson wrote:
74 Hi; After about 150 hours of researching LDAP/OpenLDAP, I have finally come to the realization, among many others, that I need to build a slapd.d configuration file
That's supposed to be a directory, not a file.
, not a slapd.conf configuration file.
A slapd.conf is just fine. If you want to use the __new__ cn=config database, slapd or any other tool can generate it for you starting from slapd.conf, using simultaneously the -f and the -F switches.
There are differences, but the documentation I've read thus far unfortunately clouds the issues.
Maybe you didn't use the right documentation?
I have the following questions:
- Does someone out there in OpenLDAP-land have a slapd.d conf file
they could share?
Try "slapd -f your-slapd.conf -F your-already-existing-empty-configuration-dir"
That would help me more than the rest of these questions.
- Do I want to include LDIF schema files, or SCHEMA schema files, or both?
See above
- Which format do I use below: A or B? A) include /usr/share/openldap/schema/core.schema B) olcInclude /usr/share/openldap/schema/core.schema Or is *this* correct? C) include: file:///usr/local/etc/openldap/schema/core.ldif
See above
- What is the difference between the attributeTypes/objectClasses in
the *.schema files and the olcAttributeTypes/olcObjectClasses in the *.ldif files? What was the point in renaming them? To cut down on confusion? (I dare say it didn't.)
See above
- Do I still need an ldap.conf file?
ldap.conf never had anything to do with slapd, nor it starts now (with a __big__ exception: client-side features of slapd, like back-ldap/back-meta and slurpd/syncrepl always used and still use ldap.conf for SSL-related settings; there is work in this area to streamline things).
- Are the following still correct? pidfile /var/run/ldap/slapd.pid argsfile /var/run/ldap/slapd.args modulepath /usr/lib/openldap pam_ldap
pam_ldap has never been a valid slapd.conf directive
sasl-host ldap.2012.vi TLSRandFile /dev/random TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/ssl/openldap/ldap.pem TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem TLSCACertificatePath /etc/ssl/openldap/ TLSCACertificateFile /etc/ssl/cacert.pem TLSCACertificateFile /etc/ssl/openldap/ldap.pem TLSVerifyClient demand # ([never]|allow|try|demand)
a hash mark ('#') followed by text is interpreted as an argument to the command that starts the line, not as a comment (as I assume you mean it).
loglevel 256 database bdb suffix "dc=2012,dc=vi" rootdn "cn=admin,dc=2012,dc=vi" directory /var/lib/ldap index objectClass eq,pres access: to dn.base="/var/lib/ldap" by root read
No colon (':') after "access" is allowed in the "access" access control directive
database monitor
The above seems to be a collection of partially incorrect slapd.conf statements. Provided you fix what's wrong, it should be fine to generate the cn=config database following indications above. Note that you don't have to generate the cn=config database unless you intend to use it, and I suggest you don't until you understand all the implications and its general usefulness. From your message, it appears you didn't understand it yet, and you got the false perception that the traditional way of configuring slapd is no longer valid, which is absolutely not true.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------