How to Update OpenLDAP Configuration Offline Using Slapmodify
Learn how to efficiently update your OpenLDAP configuration offline using the slapmodify tool.
Table of Contents
Date: 09-04-2024
Overview
This guide explains how to update the OpenLDAP configuration offline using the slapmodify
command without running the slapd
service. This process can be useful for making critical configuration changes, such as updating the root password or modifying access controls, when the normal ldapmodify
operation is not sufficient due to authentication issues.
Prerequisites
- Symas OpenLDAP Installed: Ensure that Symas OpenLDAP is properly installed on your system.
- Root Access: You must have root access or the equivalent privileges.
- Backup Important Data: Always create a backup of your configuration before making changes.
Step-by-Step Instructions
1. Backup the Configuration Database
Before making any changes, create a backup of your current configuration:
/opt/symas/sbin/slapcat -n0 -F /opt/symas/etc/openldap/slapd.d -o ldif-wrap=no -l cn-config-backup.ldif
-
n0
: This specifies the database number (0 refers to the configuration databasecn=config
). In OpenLDAP, each database has an assigned number.
-
-F
: This specifies the configuration directory path. In this case, it is/opt/symas/etc/openldap/slapd.d
, where the slapd configuration files are stored.
-
-o ldif-wrap=no
: This option prevents wrapping lines in the LDIF output. Without this, long lines may be split, making it harder to read.
-
-l cn-config-backup.ldif
: This defines the name of the LDIF file where the backup will be stored(cn-config-backup.ldif
in this case).
2. Change Configuration Offline Using Slapmodify
Stop the slapd
service to ensure that no processes are accessing the configuration files:
systemctl stop slapd
Next, use the slapmodify
command to apply the necessary changes.
Example: Updating the Root Password
- Create an LDIF file (
chrootpw.ldif
) with the updated root password. - Apply the changes using
slapmodify
:
/opt/symas/sbin/slapmodify -n0 -F /opt/symas/etc/openldap/slapd.d -l chrootpw.ldif
-
-n0
: As withslapcat
,-n0
refers to the configuration database (cn=config
). You are instructingslapmodify
to apply changes to this database.
-
-F
: This specifies the configuration directory where the dynamic slapd configuration files are located.
-
-l chrootpw.ldif
: This specifies the LDIF file that contains the modifications to be applied (chrootpw.ldif
in this case).
3. Map rootDN to Unix UID and GID
If you encounter issues updating the password with ldapmodify
, you may need to map the rootDN to the Unix UID and GID of the system root user.
- Create the
add-authz.ldif
file with the following content:
# add-authz.ldif
dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: {0}"gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" "<YOUR-ROOT-DN-HERE>"
slapmodify
:systemctl stop slapd
/opt/symas/sbin/slapmodify -n0 -F /opt/symas/etc/openldap/slapd.d -l add-authz.ldif
4. Add ACL to Config Database
You may also need to add an ACL to the config database to allow the rootDN to write to the configuration.
Create the add-config-acl.ldif
file with the following content:
# add-config-acl.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcAccess
olcAccess: to * by dn.base="<YOUR-ROOT-DN-HERE>" manage by * none
Apply the configuration using slapmodify
:
systemctl stop slapd
/opt/symas/sbin/slapmodify -n0 -F /opt/symas/etc/openldap/slapd.d -l add-config-acl.ldif
5. Restart the slapd Service
Once you have applied all necessary modifications, restart the slapd
service:
systemctl start slapd
You can now test the ldapmodify
command on cn=config
to ensure that your changes have been applied successfully.
6. Alternative Method: Direct Configuration File Modification
If slapmodify
fails, you can directly modify the configuration file:
Edit the cn-config-backup.ldif
file:
- Under
dn: cn=config
, add:
olcAuthzRegexp: {0}"gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" "<YOUR-ROOT-DN-HERE>"
- Under
dn: olcDatabase={0}config,cn=config
, add:
olcAccess: to * by dn.base="<YOUR-ROOT-DN-HERE>" manage by * none
Apply the modified configuration:
systemctl stop slapd
rm -rf /opt/symas/etc/openldap/slapd.d
/opt/symas/sbin/slapadd -n0 -F /opt/symas/etc/openldap/slapd.d -l <modified-config-backup-file>.ldif
systemctl start slapd
Conclusion
By following this guide, you can safely and effectively update the OpenLDAP configuration offline, ensuring that critical changes are made without authentication issues. Always ensure to backup your configuration before making any changes, and test thoroughly after reloading the configuration.
For additional support, please contact Symas Technical Support: support@symas.com