UserPreferences

ApplicationNotes/LdapNotes

1. LDAP Notes

1.1. Rebuilding Indexes

The best way to rebuild the index (which you need to do if you add an index for a new attribute) is:

  1. Change the directory to read-only mode, so the back-end databased can be copied and the directory brough back on-line while the re-indexing is happening.

    1. Edit slapd.conf and add readonly on to your database configuration to make sure an external process doesn't make any modifications.

    2. Restart slapd (now running read-only).

    3. Copy your ldap directory, say, to ldap.new.

  2. Re-index the directory using the off-line copy of the database:

    1. Make a copy of your slapd.conf and change it to use the ldap.new directory and add whatever new index settings are necessary.

    2. Run slapindex with the new config file.

  3. Bring the re-indexed off-line data on-line and move the old data out of the way:

    1. Rename ldap directory to something else, e.g. ldap.old. (Due to the magic of UNIX filehandles, this should not interrupt the running slapd.)

    2. Rename ldap.new to ldap.

    3. Edit slapd.conf to remove the readonly on option and change the database directory back to ldap.

    4. Restart slapd.

NB: This is relevant to OpenLDAP 2.0.27

1.2. Replication

This is a basic setup. Enhancements can be made to it once the basics are in place.

  1. Add an entry to use to replicate with. I use cn=Replicator,dc=example,dc=com. The person objectClass seems to be a good choice, because it's simple and has the userPassword attribute.

  2. Restart your slapd in read-only mode.

  3. Copy the ldap directory to the slave servers (assuming they're all the same build of OpenLDAP) and untar it in the ldap directory on the slave.

  4. Copy any external schema files and the slapd.conf from the master to the slaves.

  5. On the master, enable the replogfile line in the slapd.conf and add the following stanza for each slave: 

    replica host=ldap-slave1.example.com:389
        binddn="cn=Replicator,dc=example,dc=com"
        bindmethod=simple credentials=secret

  6. Create an ACL that allows the Replicator to write everywhere in the slave's slapd.conf. Something like this: 

    access to *
    by dn="cn=Replicator,dc=example,dc=com" write

  7. Add updatedn and updateref to the slapd.conf on the slave. The former should be the Replicator DN and the latter the URL of the master (e.g., ldap://master-ldap.example.com.

  8. Start the slave slapd servers.

  9. Restart the master in writable-mode.

  10. Do some tests to make sure things work.

1.3. OpenLDAP Index Options

The precise meanings of the index options of pres,eq,approx,sub seem to be somewhat elusive; the OpenLDAP Administrator's Guide is not particularly illuminating and the FAQ-O-Matic is similarly bereft. The Understanding and Deploying LDAP Directory Services has a table in the section on filtering that briefly describe different search types.

Here the meanings as I understand them:

  1. pres -- A search for the presence of a particular attribute, e.g., '(objectClass=*)'

  2. eq -- A search for a particular attribute with a particular value, e.g., '(uid=bjensen)'

  3. approx -- A sounds like search, like 'soundex' in SQL. I've never actually seen this one used, but it would look something like '{(sn~=Jensen)}'.

  4. sub -- This is a search for particular substrings. Because certain types of substring searches are performed more than others, this option can be decomposed into three sub-options. If you only specify sub, you get indexes for all three.

    1. subinitial -- A search for an attribute with matching string at the beginning, e.g., '(mail=bje*)'.

    2. subany -- A search with the wildcard somewhere in the middle, e.g., '(sn=j*sen)'.

    3. subfinal -- A search for an attribute with matching string at the end, e.g, '(mail=*.com)'.

  5. autolang -- A special option to maintain separate indices for separate language types. (NB, just paraphrased the man page--not too sure about it.)

  6. subtypes -- A special option to allow use of the index by named subtypes. (NB, just paraphrased the man page--not too sure about it.)

  7. autosubtypes -- A special option to automatically create separate indexes for separate subtypes. (NB, just paraphrased the man page--not too sure about it.)

1.4. Errors

slapindex fails with message could not open database This will obviously happen for several reasons, such as slapd.conf not being in the default place (and -f not being used). However, the man page says: 
      Your  slapd(8)  should  not  be  running (at least, not in
      read-write mode) when you do this to ensure consistency of
      the database.

Which would make you think that you can add readonly on to the slapd.conf file, restart slapd, and then run slapindex. However, this doesn't work and will result in the error above.

TLS certificate verification: Error, self signed certificate

By default, self-signed certificates are not trusted. To enable them to be trusted, add TLS_REQCERT allow to /etc/openldap/ldap.conf.

ldap_sasl_interactive_bind_s: No such object (32)

Use -x with whatever ldap* command you're using. The CLI tools by default to try to bind with SASL, which takes some special setup.

result: 32 No such object

You're searching for everything or anything and you find nothing. You know there's data in the directory and the command parameters are correct. Check your database files! This will happen if the permissions are wrong and slapd is unable to open the database files. Happens more often than you think; be careful, for example, when setting up slave servers, restoring after an upgrade or failure, or running slapindex.

WilCooley