Store configuration in the directory itself
One of the hot feature of openldap24 is to store configuration in the same ldap directory. Advantages are:
- runtime modification of configuration with ldapmodify without service restart;
- leverage of the syncprov replica of configuration branches, as schema or acl.
To enable storage of configuration in the directory itself, just start slapd with the -F switch, which points to a slapd.d directory, owned by ldap:ldap, usually located ad /etc/ldap/slapd.d (debian):
/usr/local/libexec/slapd -u ldap -g ldap -f slapd.conf -F slapd.d -d-1
(later remove the -f switch; older debian startup scripts do require -f so it could be necessary modify them).
How to replicate schema branch
First of all enable overlay syncprov over cn=config on the master server: this is the needed ldif to achieve that:
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
olcOverlay: syncprov
Or, if the configuration has not yet been migrated, edit slapd.conf:
database config
rootpw {SSHA}WGWXrWf/RG99aVWs3VBMn5nyJGzhCfkS
overlay syncprov
Than add to master server a acl to enable a user to read cn=config like:
access to dn.subtree="cn=config" by dn="cn=confreplica,dc=example,dc=com" read
slapd.conf on the slave should look:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
#core.schema has to be included anyhow
#include /usr/local/etc/openldap/schema/cosine.schema
#include /usr/local/etc/openldap/schema/inetorgperson.schema
#include /usr/local/etc/openldap/schema/openldap.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
# moduleload back_hdb
# moduleload back_ldap
[...] acl go here
loglevel stats ACL sync
database config
rootdn "cn=admin,cn=config"
rootpw {SSHA}WGWXrWf/RG99aVWs3VBMn5nyJGzhCfkS
syncrepl rid=002
provider=ldap://master.example.com:389
type=refreshAndPersist
interval=00:00:10:00
searchbase="cn=schema,cn=config"
filter="objectClass=olcSchemaConfig"
scope="sub"
binddn="cn=confreplica,dc=example,dc=com"
bindmethod=simple
credentials="secret"
# next database sections
Than, migrate configuration on slave from slapd.conf to slapd.d as usual.