How to create OpenLDAP configuration database and directory tree in offline mode
Here in this article we will try to setup the OpenLDAP configuration database and the LDAP directory data using the slapadd utility in offline mode.
Test Environment
Ubuntu 22.04
Creating LDAP database in Offline Mode
In this method we see the slapd database tools named slapadd. This method is best if you have many thousands of entries to create, which would take an unacceptably long time to add using the LDAP method described above.
These tools read the slapd configuration file and an input file containing a text representation of the entries to add. For database types which support the tools, they produce the database files directly (otherwise you must use the on-line method above).
If you are interested in watching the video. Here is the YouTube video on the same step by step procedure outlined below.
Procedure
Step1: Create configuration database offline
As a first step we need to have our slapd configuration database file in ldif format ready. Here is my slapd.ldif file.
$ sudo cat /usr/local/etc/openldap/slapd.ldif
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
#
#
# Define global ACLs to disable default read access.
#
olcArgsFile: /usr/local/var/run/slapd.args
olcPidFile: /usr/local/var/run/slapd.pid
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
#
# Load dynamic backend modules:
#
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/local/libexec/openldap
olcModuleload: back_mdb.la
#olcModuleload: back_ldap.la
#olcModuleload: back_passwd.la
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///usr/local/etc/openldap/schema/core.ldif
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to * by * read
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
#######################################################################
# LMDB database definitions
#######################################################################
#
#dn: olcDatabase=mdb,cn=config
#objectClass: olcDatabaseConfig
#objectClass: olcMdbConfig
#olcDatabase: mdb
#olcDbMaxSize: 1073741824
#olcSuffix: dc=my-domain,dc=com
#olcRootDN: cn=Manager,dc=my-domain,dc=com
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd-config(5) for details.
# Use of strong authentication encouraged.
#olcRootPW: secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
#olcDbDirectory: /usr/local/var/openldap-data
# Indices to maintain
#olcDbIndex: objectClass eq
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
OlcDbMaxSize: 1073741824
olcSuffix: dc=stack,dc=com
olcRootDN: cn=Manager,dc=stack,dc=com
olcRootPW: secret
olcDbDirectory: /usr/local/var/openldap-data
olcDbIndex: objectClass eq
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Admin,dc=stack,dc=com" write
by * none
olcAccess: to *
by self write
by dn.base="cn=Admin,dc=example,dc=com" write
by * read
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcRootDN: cn=config
olcMonitoring: FALSE
Once the configuration database file is ready we need to test it using slapadd by running it in dry-run mode which will provide us with information on any errors if found.
$ sudo /usr/local/sbin/slapadd -v -u -c -n 0 -F /usr/local/etc/slapd.d -l /usr/local/etc/openldap/slapd.ldif
added: "cn=config" (00000000)
added: "cn=module{0},cn=config" (00000000)
added: "cn=schema,cn=config" (00000000)
added: "cn={0}core,cn=schema,cn=config" (00000000)
added: "olcDatabase={-1}frontend,cn=config" (00000000)
added: "olcDatabase={1}mdb,cn=config" (00000000)
added: "olcDatabase={2}monitor,cn=config" (00000000)
Closing DB...
Options
-u: tells slapadd to run in test (or dry-run) mode
-c: tells slapadd to keep processing the file even if it hits a bad record
Once the test succeeds we can do the actual run without the “-u” and “-c” to create our configuration database in offline mode. This method is called offline mode because slapdd does not use the LDAP protocol to connect with the LDAP server, it directly works on the LDAP directory database locations and files.
$ sudo /usr/local/sbin/slapadd -n 0 -F /usr/local/etc/slapd.d -l /usr/local/etc/openldap/slapd.ldifStep2: Add database entries using slapadd
In this step we are going to add data to our LDAP directory. We will first create our directory tree data in ldif format as shown below.
$ cat /home/ubadmin/ldapfiles/stack.com.ldif
dn: dc=stack,dc=com
objectclass: dcObject
objectclass: organization
o: stack company
dc: stack
dn: cn=Manager,dc=stack,dc=com
objectclass: organizationalRole
cn: Manager
dn: cn=Admin,dc=stack,dc=com
objectclass: organizationalRole
cn: Admin
dn: ou=devops,dc=stack,dc=com
objectclass: organizationalUnit
ou: devops
dn: cn=mark,ou=devops,dc=stack,dc=com
objectclass: person
cn: mark
sn: m
userPassword: mark@1234
dn: cn=bob,ou=devops,dc=stack,dc=com
objectclass: person
cn: bob
sn: b
userPassword: bob@1234
dn: cn=alice,ou=devops,dc=stack,dc=com
objectclass: person
cn: alice
sn: a
userPassword: alice@1234
Once our directory data is ready in LDIF format we can use the same slapadd tool to do a test on our LDIF file by running it in dry run mode as shown below.
$ sudo /usr/local/sbin/slapadd -v -u -c -F /usr/local/etc/slapd.d -l /home/ubadmin/ldapfiles/stack.com.ldif
added: "dc=stack,dc=com" (00000000)
added: "cn=Manager,dc=stack,dc=com" (00000000)
added: "cn=Admin,dc=stack,dc=com" (00000000)
added: "ou=devops,dc=stack,dc=com" (00000000)
added: "cn=mark,ou=devops,dc=stack,dc=com" (00000000)
added: "cn=bob,ou=devops,dc=stack,dc=com" (00000000)
added: "cn=alice,ou=devops,dc=stack,dc=com" (00000000)
Closing DB..
If the test succeeds we can load our directory data in LDIF format without the “-c” and “-u” options as shown below.
$ sudo /usr/local/sbin/slapadd -F /usr/local/etc/slapd.d -l /home/ubadmin/ldapfiles/stack.com.ldifStep3: Start LDAP service
Now its time to start up our LDAP service as shown below.
$ sudo /usr/local/libexec/slapd -F /usr/local/etc/slapd.dStep4: Validate LDAP service
We can now try to search our LDAP directory tree for the information that we loaded as shown below.
$ ldapsearch -x -b 'dc=stack,dc=com' -D 'cn=bob,ou=devops,dc=stack,dc=com' '(cn=alice)' -WSo, here in this article the primary purpose was to show how we can utilize the slapd utilities to manage our LDAP configuration database and the directory tree in offline mode.
Hope you enjoyed reading this article. Thank you..
Leave a Reply
You must be logged in to post a comment.