Hi,
I'm new to OpenLDAP and I'm finding it hard to perform the initial configuration (a lot of the information I find online seems to pertain only to old versions of OpenLDAP, which used a different configuration system).
Anyway, I have defined a schema file with the custom attributes and object classes relevant to my domain. Starting from a fresh installation of OpenLDAP 2.4.42 running on Ubuntu 16.04, I want to configure my Slapd server to *only* consider my schema file and to ignore all the other schemas it's configured to use by default.
I thought it would be as simple as removing the old /etc/ldap/slapd.d and replacing it with the output of slaptest applied to my schema file. This doesn't work, unfortunately, because slapd refuses to start afterwords.
I apologize if this question seems basic, but I'm stuck on this very first step and I've been unable to find an up-to-date tutorial on how to configure a recent OpenLDAP server from scratch (ie, without all the default schemas).
Thanks in advance for your kind help! Regards, Jon
On Fri, 14 Jul 2017, Jon Smark wrote:
I'm new to OpenLDAP and I'm finding it hard to perform the initial configuration (a lot of the information I find online seems to pertain only to old versions of OpenLDAP, which used a different configuration system).
Did you try the documentation available at openldap.org? By definition it's up to date...
On Fri, Jul 14, 2017 at 02:48:30PM +0000, Jon Smark wrote:
Anyway, I have defined a schema file with the custom attributes and object classes relevant to my domain. Starting from a fresh installation of OpenLDAP 2.4.42 running on Ubuntu 16.04, I want to configure my Slapd server to *only* consider my schema file and to ignore all the other schemas it's configured to use by default.
I have to assume you have good reasons for doing that; but please do consider that most applications out there are written with the existing standardized schemas in mind, and try to leverage them as much as it makes sense to.
You do most likely at least want the 'core' schema. Most things assume it is present.
I thought it would be as simple as removing the old /etc/ldap/slapd.d and replacing it with the output of slaptest applied to my schema file. This doesn't work, unfortunately, because slapd refuses to start afterwords.
The default configuration defines a bit more than just that. The template used by the installer is /usr/share/slapd/slapd.init.ldif but there are some placeholders that the maintainer scripts fill in.
The Debian/Ubuntu init script requires you to define olcPidFile at a minimum, so it can do process tracking. (You didn't explicitly say you're invoking the init script; I apologize in advance if I'm assuming incorrectly that you want to use it.)
I'm not completely sure (haven't tested recently) but I think slaptest works better on a skeleton slapd.conf that just "include"s the relevant schema than it does on the schema file itself.
I apologize if this question seems basic, but I'm stuck on this very first step and I've been unable to find an up-to-date tutorial on how to configure a recent OpenLDAP server from scratch (ie, without all the default schemas).
http://www.openldap.org/doc/admin24/slapdconf2.html
hope this helps, Ryan
Hi,
A big thanks to you and all others who replied to my original question. Sorry for my belated reply, as I was experimenting with various options as per your suggestions.
Anyway, in the end the simplest way to achieve what I wanted was to stop the existing Slapd daemon, remove the old database at /var/lib/ldap, and modify the /usr/share/slapd/slapd.conf file which is used as the master template by Debian/Ubuntu's installation scripts. The one remaining step was to invoke "dpkg-reconfigure slapd" which reconfigures the Slapd package as if it had just been installed.
Also, in the end I decided to eschew all the default schemas (even core) and just use mine. There was just too much of an impedance mismatch between them.
Best regards, Jon
On Saturday, July 15, 2017 2:16 AM, Ryan Tandy ryan@nardis.ca wrote:
On Fri, Jul 14, 2017 at 02:48:30PM +0000, Jon Smark wrote:
Anyway, I have defined a schema file with the custom attributes and object classes relevant to my domain. Starting from a fresh installation of OpenLDAP 2.4.42 running on Ubuntu 16.04, I want to configure my Slapd server to *only* consider my schema file and to ignore all the other schemas it's configured to use by default.
I have to assume you have good reasons for doing that; but please do consider that most applications out there are written with the existing standardized schemas in mind, and try to leverage them as much as it makes sense to.
You do most likely at least want the 'core' schema. Most things assume it is present.
I thought it would be as simple as removing the old /etc/ldap/slapd.d and replacing it with the output of slaptest applied to my schema file. This doesn't work, unfortunately, because slapd refuses to start afterwords.
The default configuration defines a bit more than just that. The template used by the installer is /usr/share/slapd/slapd.init.ldif but there are some placeholders that the maintainer scripts fill in.
The Debian/Ubuntu init script requires you to define olcPidFile at a minimum, so it can do process tracking. (You didn't explicitly say you're invoking the init script; I apologize in advance if I'm assuming incorrectly that you want to use it.)
I'm not completely sure (haven't tested recently) but I think slaptest works better on a skeleton slapd.conf that just "include"s the relevant schema than it does on the schema file itself.
I apologize if this question seems basic, but I'm stuck on this very first step and I've been unable to find an up-to-date tutorial on how to configure a recent OpenLDAP server from scratch (ie, without all the default schemas).
http://www.openldap.org/doc/admin24/slapdconf2.html
hope this helps, Ryan
On Fri, 2017-07-14 at 14:48 +0000, Jon Smark wrote:
Hi,
I'm new to OpenLDAP and I'm finding it hard to perform the initial
configuration (a lot of the information I find online seems to pertain only to old versions of OpenLDAP, which used a different
configuration system).
Anyway, I have defined a schema file with the custom attributes and object classes relevant to my domain. Starting from a fresh
installation of OpenLDAP 2.4.42 running on Ubuntu 16.04, I want
to configure my Slapd server to *only* consider my schema file and
to ignore all the other schemas it's configured to use by default.
I thought it would be as simple as removing the old /etc/ldap/slapd.d
and replacing it with the output of slaptest applied to my schema
file. This doesn't work, unfortunately, because slapd refuses to
start afterwords.
I apologize if this question seems basic, but I'm stuck on this very
first step and I've been unable to find an up-to-date tutorial on how
to configure a recent OpenLDAP server from scratch (ie, without all
the default schemas).
Thanks in advance for your kind help!
Regards,
Jon
What you need as a tool the makes the directory tree easy to navigate like a file so that the old docs would look more relevant. I present to you ldapvi, http://www.lichteblau.com/ldapvi/manual/ the tool that would do just that. It allows you to manipulate any data presented over LDAP with your favorite text editor.
I only found two caveats, it doesn't mask password well and it shows how many characters your password is instead of nothing like it should in my opinion. The other is that a directory has to already exist, you can use it to provision a bare directory, you have to use ldapadd to do that.
For the new schema, I bet you are talking about installing rfc2307bis, otherwise I don't understand why you want to remove any schema files because some of them are required for a functioning LDAP server. I am pretty sure you always need core.schema because it defines commonName which you always need because OLC aka cn=config uses it.
John Lewis oflameo2@gmail.com wrote:
I only found two caveats, it doesn't mask password well and it shows how many characters your password is instead of nothing like it should in my opinion.
Indeed that is room for improvement. But it does not really matters if you authenticate using x509 certificate or peercred.
Jon Smark jon.smark@yahoo.com writes:
Hi,
I'm new to OpenLDAP and I'm finding it hard to perform the initial configuration (a lot of the information I find online seems to pertain only to old versions of OpenLDAP, which used a different configuration system).
Anyway, I have defined a schema file with the custom attributes and object classes relevant to my domain. Starting from a fresh installation of OpenLDAP 2.4.42 running on Ubuntu 16.04, I want to configure my Slapd server to *only* consider my schema file and to ignore all the other schemas it's configured to use by default.
please note that most standard attribute types are hardcoded in schema_prep.c, that is all hashed attribute types in core.schema.
-Dieter
openldap-technical@openldap.org
-
Dave Horsfall -
Dieter Kluenter -
John Lewis -
Jon Smark -
manu@netbsd.org -
Ryan Tandy