Home

How to Update OpenLDAP Configuration Dynamically

Learn how to efficiently update your OpenLDAP configuration using the slapmodify tool.

Updated at October 30th, 2024

+ More

Table of Contents

Overview Prerequisites Step-by-Step Instructions 1. Backup the Configuration Database 2. Change Configuration Offline Using Slapmodify 3. Map rootDN to Unix UID and GID 4. Add ACL to Config Database 5. Restart the slapd Service Alternative Method: Direct Configuration File Modification Conclusion

Date: 09-04-2024

Overview

This guide explains how to update the OpenLDAP configuration offline using the slapmodify command without running the slapd service. This process can be useful for making critical configuration changes, such as updating the root password or modifying access controls, when the normal ldapmodify operation is not sufficient due to authentication issues.

Backup Important Data: It is strongly recommended that you create a backup of your configuration before making changes. See Step 1 below.

Prerequisites

Symas OpenLDAP Installed: Ensure that Symas OpenLDAP is properly installed on your system.
Root Access: You must have root access or the equivalent privileges.

Step-by-Step Instructions

1. Backup the Configuration Database

Before making any changes, create a backup of your current configuration:

/opt/symas/sbin/slapcat -n0 -F /opt/symas/etc/openldap/slapd.d -o ldif-wrap=no -l cn-config-backup.ldif

n0: This specifies the database number (0 refers to the configuration database cn=config). In OpenLDAP, each database has an assigned number.
-F: This specifies the configuration directory path. In this case, it is /opt/symas/etc/openldap/slapd.d, where the slapd configuration files are stored.
-o ldif-wrap=no: This option prevents wrapping lines in the LDIF output. Without this, long lines may be split, making it harder to read.
-l cn-config-backup.ldif: This defines the name of the LDIF file where the backup will be stored (cn-config-backup.ldif in this case).

2. Change Configuration Offline Using Slapmodify

Stop the slapd service to ensure that no processes are accessing the configuration files:

systemctl stop slapd

Next, use the slapmodify command to apply the necessary changes.

Example: Updating the Root Password

a. Create an LDIF file (chrootpw.ldif) with the updated root password.
b. Apply the changes using slapmodify:

/opt/symas/sbin/slapmodify -n0 -F /opt/symas/etc/openldap/slapd.d -l chrootpw.ldif

-n0: As with slapcat, -n0 refers to the configuration database (cn=config). You are instructing slapmodify to apply changes to this database.
-F: This specifies the configuration directory where the dynamic slapd configuration files are located.
-l chrootpw.ldif: This specifies the LDIF file that contains the modifications to be applied (chrootpw.ldif in this case).

3. Map rootDN to Unix UID and GID

If you encounter issues updating the password with ldapmodify, you may need to map the rootDN to the Unix UID and GID of the system root user.

a. Create the add-authz.ldif file with the following content:

# add-authz.ldif
         dn: cn=config
         changetype: modify
         add: olcAuthzRegexp
         olcAuthzRegexp:                                    
         {0}"gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" "<YOUR-ROOT-DN-HERE>"

b. Apply the configuration using slapmodify:

systemctl stop slapd

/opt/symas/sbin/slapmodify -n0 -F /opt/symas/etc/openldap/slapd.d -l add-authz.ldif

4. Add ACL to Config Database

You may also need to add an ACL to the config database to allow the rootDN to write to the configuration.

Create the add-config-acl.ldif file with the following content:

# add-config-acl.ldif
                 dn: olcDatabase={0}config,cn=config
                 changetype: modify
                 add: olcAccess
                 olcAccess: to *  by dn.base="<YOUR-ROOT-DN-HERE>" manage  by * none

Apply the configuration using slapmodify:

systemctl stop slapd

/opt/symas/sbin/slapmodify -n0 -F /opt/symas/etc/openldap/slapd.d -l add-config-acl.ldif

5. Restart the slapd Service

Once you have applied all necessary modifications, restart the slapd service:

systemctl start slapd

You can now test the ldapmodify command on cn=config to ensure that your changes have been applied successfully.

Alternative Method: Direct Configuration File Modification

If slapmodify fails, you can directly modify the configuration file:

Edit the cn-config-backup.ldif file:

Under dn: cn=config, add:

olcAuthzRegexp: {0}"gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" "<YOUR-ROOT-DN-HERE>"

Under dn: olcDatabase={0}config,cn=config, add:

olcAccess: to *  by dn.base="<YOUR-ROOT-DN-HERE>" manage  by * none

Apply the modified configuration:

systemctl stop slapd

rm -rf /opt/symas/etc/openldap/slapd.d

/opt/symas/sbin/slapadd -n0 -F /opt/symas/etc/openldap/slapd.d -l <modified-config-backup-file>.ldif

systemctl start slapd

Conclusion

By following this guide, you can safely and effectively update the OpenLDAP configuration while slapd is running, ensuring that critical changes are made without authentication issues. Always ensure to backup your configuration before making any changes, and test thoroughly after reloading the configuration.

For additional support, please contact Symas Technical Support: support@symas.com

openldap settings modify offline