Convert from slap.conf to cn=config of openldap 2.4.

1) Converting old style slapd.conf(5) file to cn=config format

Before converting to the cn=config format you should make sure that the config backend is properly configured in your existing config file. While the config backend is always present inside slapd, by default it is only accessible by its rootDN, and there are no default credentials assigned so unless you explicitly configure a means to authenticate to it, it will be unusable.


If you do not already have a database config section, add something like this to the end of slapd.conf


database config

rootdn “cn=admin, cn=config”

 rootpw VerySecret

Note: Since the config backend can be used to load arbitrary code into the slapd process, it is extremely important to carefully guard whatever credentials are used to access it. Since simple passwords are vulnerable to password guessing attacks, it is usually better to omit the rootpw and only use SASL authentication for the config rootDN.

An existing slapd.conf(5) file can be converted to the new format using slaptest(8) or any of the slap tools:


mkdir /etc/openldap/slapd.d

        slaptest -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d

Test that you can access entries under cn=config using the default rootdn and the rootpw configured above:


        ldapsearch -x -D cn=config -w VerySecret -b cn=admin,cn=config

You can then discard the old slapd.conf(5) file. Make sure to launch slapd(8) with the -F option to specify the configuration directory if you are not using the default directory path.


Note: When converting from the slapd.conf format to slapd.d format, any included files will also be integrated into the resulting configuration database.

Adding additional schemas to slapd requires the schema to be converted to LDIF format. Fortunately, the slapd program can be used to automate the conversion. The following example will add the misc.schema:

2) Convert schema to LDIF format.

2.1   Firstly, create a conversion schema_convert.conf file containing the schema which will be converted as following lines:


include /etc/ldap/schema/core.schema

include /etc/ldap/schema/collective.schema

include /etc/ldap/schema/corba.schema

include /etc/ldap/schema/cosine.schema

include /etc/ldap/schema/duaconf.schema

include /etc/ldap/schema/dyngroup.schema

include /etc/ldap/schema/inetorgperson.schema

include /etc/ldap/schema/java.schema

include /etc/ldap/schema/misc.schema

include /etc/ldap/schema/nis.schema

include /etc/ldap/schema/openldap.schema

include /etc/ldap/schema/ppolicy.schema

2.2  Create a temporary directory to hold the output:


mkdir /tmp/ldif_output


2.3  Now using slaptest convert the schema files to LDIF:


slaptest -f schema_convert.conf -F /tmp/ldif_output


Adjust the configuration file name and temporary directory names if yours are different. Also, it may be worthwhile to keep the ldif_output directory around in case you want to add additional schemas in the future.


2.4  Edit the /tmp/ldif_output/cn=config/cn=schema/cn={8}misc.ldif file, changing the following attributes:


dn: cn=misc,cn=schema,cn=config

cn: misc


And remove the following lines from the bottom of the file:


structuralObjectClass: olcSchemaConfig

entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757

creatorsName: cn=config

createTimestamp: 20080826021140Z

entryCSN: 20080826021140.791425Z#000000#000#000000

modifiersName: cn=config

modifyTimestamp: 20080826021140Z




The attribute values will vary, just be sure the attributes are removed.


2.5  Finally, using the ldapadd utility, add the new schema to the directory:


ldapadd -x -D cn=admin,cn=config -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{8\}misc.ldif


There should now be a dn: cn={4}misc,cn=schema,cn=config entry in the cn=config tree.


Be the first to comment

Leave a Reply