Hello,

Back in April or May, I was trying to add and tweak a password policy, invoking a command like this multiple times:

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -a -f ppolicy-overlay.ldif

This created multiple password policy overlays, and the LDAP server started to crash with some frequency.

Of course, you can not use this interface to DELETE a policy overlay, so I went about researching "hot to remove a ppolicy overlay" and go into some complicated process where you have to export the database, remove olc* entries, delete your database and re-import. My attention shifted to other priorities.

Yesterday, I turned back to the question of how to remove the duplicated ppolicy overlays and started exporting the database, but I couldn't find the ppolicy stuff in my slapcat output.

Another trip to the search mines and I discovered this gem: https://serverfault.com/a/280836/72839

While you are asked to configure stuff using an LDAP command that cannot delete duplicate policy overlays, the config data doesn't get written into the database, but just placed in plain-text files in a directory structure. Removing duplicated overlays is as simple as stop slapd, remove the files, start slapd. Similarly, you could tweak your ppolicy overlay or possibly even bootstrap new servers by merely editing the right config files in the right place.

I had been yearning for a config file, and it turns out I had them all along!

I am sharing my experience here, for the next person who finds themselves googling around, trying to figure out how to remove or tweak a config in OpenLDAP. It is nowhere near as complicated as what I had read.

Thanks, -danny