Symas OpenLDAP Knowledge Base

Static vs. Dynamic Configuration

OpenLDAP can be configured using either a static configuration (slapd.conf) or a dynamic configuration (slapd.d, also known as cn=config). Both way are fine, but there are pros and cons. The primary benefit of slapd.conf is that it is much more concise and easier to edit to make changes. The primary benefit of the cn=config approach is that the configuration can be modified while the service is running.

During early experimentation, setup, and testing it may be easier to work the configuration as a whole (slapd.conf) in its smaller form. As testing procedes and the configuration stabilizes, it can be converted to the cn=config internal database. Changes are then made via the LDAP line-mode utility programs (or an LDAP browser like the Apache Directory Studio). They take effect immediately.

Once the configuration is stored in the internal cn=config database, changes made can only be reflected in external copies of slapd.conf. If a server has to have its configuration (re)loaded, it can only be done from a backup of the contents of a recent backup of the data stored in cn=config.

In Multi-Master server clusters, support for replicating cn=config among servers was completed in OpenLDAP 2.5. More information will be provided about relicating cn=config in an upcoming Knowledge Base article.