Ted Johnson wrote:

74 Hi; After about 150 hours of researching LDAP/OpenLDAP, I have finally come to the realization, among many others, that I need to build a slapd.d configuration file

That's supposed to be a directory, not a file.

, not a slapd.conf configuration file.

A slapd.conf is just fine. If you want to use the __new__ cn=config database, slapd or any other tool can generate it for you starting from slapd.conf, using simultaneously the -f and the -F switches.

There are differences, but the documentation I've read thus far unfortunately clouds the issues.

Maybe you didn't use the right documentation?

I have the following questions:

• Does someone out there in OpenLDAP-land have a slapd.d conf file

they could share?

Try "slapd -f your-slapd.conf -F your-already-existing-empty-configuration-dir"

That would help me more than the rest of these questions.

• Do I want to include LDIF schema files, or SCHEMA schema files, or both?

See above

• Which format do I use below: A or B? A) include /usr/share/openldap/schema/core.schema B) olcInclude /usr/share/openldap/schema/core.schema Or is *this* correct? C) include: file:///usr/local/etc/openldap/schema/core.ldif

See above

• What is the difference between the attributeTypes/objectClasses in

the *.schema files and the olcAttributeTypes/olcObjectClasses in the *.ldif files? What was the point in renaming them? To cut down on confusion? (I dare say it didn't.)

See above

• Do I still need an ldap.conf file?

ldap.conf never had anything to do with slapd, nor it starts now (with a __big__ exception: client-side features of slapd, like back-ldap/back-meta and slurpd/syncrepl always used and still use ldap.conf for SSL-related settings; there is work in this area to streamline things).

• Are the following still correct? pidfile /var/run/ldap/slapd.pid argsfile /var/run/ldap/slapd.args modulepath /usr/lib/openldap pam_ldap

pam_ldap has never been a valid slapd.conf directive

    sasl-host ldap.2012.vi
    TLSRandFile            /dev/random
    TLSCipherSuite         HIGH:MEDIUM:+SSLv2
    TLSCertificateFile      /etc/ssl/openldap/ldap.pem
    TLSCertificateKeyFile   /etc/ssl/openldap/ldap.pem
    TLSCACertificatePath   /etc/ssl/openldap/
    TLSCACertificateFile    /etc/ssl/cacert.pem
    TLSCACertificateFile    /etc/ssl/openldap/ldap.pem
    TLSVerifyClient demand # ([never]|allow|try|demand)

a hash mark ('#') followed by text is interpreted as an argument to the command that starts the line, not as a comment (as I assume you mean it).

    loglevel 256
    database        bdb
    suffix        "dc=2012,dc=vi"
    rootdn        "cn=admin,dc=2012,dc=vi"
    directory    /var/lib/ldap
    index        objectClass                        eq,pres
    access: to dn.base="/var/lib/ldap" by root read

No colon (':') after "access" is allowed in the "access" access control directive

    database monitor

The above seems to be a collection of partially incorrect slapd.conf statements. Provided you fix what's wrong, it should be fine to generate the cn=config database following indications above. Note that you don't have to generate the cn=config database unless you intend to use it, and I suggest you don't until you understand all the implications and its general usefulness. From your message, it appears you didn't understand it yet, and you got the false perception that the traditional way of configuring slapd is no longer valid, which is absolutely not true.

p.

Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------