Modify openLDAP cn=config without slapd running


I am trying to setup a Multi-Master openLDAP (PoC) cluster.
Somewhere I created bad config and now slapd will not start. Being that the cn=config/olc config is CRC32 tagged, it won't accept manual changes.

So, how do I make config changes without the daemon running?

There is slapadd, but I need to modify, not add … right?
I feel like I might be missing something obvious.

If it matters, I think either or both olcModuleLoad and olcServerID are wrong.

Running openldap-2.4.42 on Ubuntu 16.04.

I was wrong about the edits not being accepted. The config was being rejected for a different reason (no serverID / URL match found), the checksum error was logged but does not prevent the daemon from starting.

I was able to manually edit ldif files in /etc/ldap/slap.d/cn=config and start the server. (Although I have not yet gotten multi-master replication working.)

Best Answer

I know you've basically solved your problem, but I thought I'd add my own steps for making offline slapd configurations if anybody else comes across this. This is from my own documentation for Debian based systems:

Sometimes it is necessary to edit a cn=config style database manually (if you cannot get into the database using the root account for example), however a cn=config style database should never be edited by hand. In order to fix issues directly in the files themselves you need to convert the database to ldif format, make your changes, then restore the database. This is accomplished using the slap tools.

Start by stopping the slapd service. It is recommended to make a copy of the slapd directory and all of its contents just in case something goes wrong.

$ systemctl stop slapd
$ cp -a /etc/ldap/slapd.d /var/backups/slapd.d-offline-$(date +%s)

Now backup the slapd database you want to change. The slap tools should be used for backing up and restoring. Slapcat can be used to convert a database from cn=config style to an ldif file. To backup the config database, export it to an ldif file using slapcat.

$ slapcat -n0 -F /etc/ldap/slapd.d/ -l /var/backups/slapd.d-config-$(date +%s).ldif

The -n option specifies which database you which to backup. The config database is always 0.

To backup a different database simply substitute the dbnum option with the correct database number. If you only have one database this will probably be “1”.

$ slapcat -n1 -F /etc/ldap/slapd.d/ -l /var/backups/slapd.d-acme-$(date +%s).ldif

Once you have backed up the current database you need to delete the slapd directory under the ldap folder and create a new one.

$ rm -rf /etc/ldap/slapd.d
$ mkdir /etc/ldap/slapd.d

Now you can make your changes to the ldif file that you created with the slapcat tool with a text editor. Be careful with any edits as typos, invalid syntax, and other issues will cause a re-import of the ldif file to fail. After all your changes are complete import your database into the new slapd directory.

Converting an ldif backup of your database to cn=config is done with the slapadd tool. The slapadd tool, like the slapcat tool requires a database number. 0 is always the config database.

$ slapadd -n0 -F /etc/ldap/slapd.d -l /var/backups/slapd.d-config-<timestamp>.ldif

Replace <timestamp> with the database you actually want to restore.

To restore your database instead of the config database simply substitute the dbnum option with the correct database number. If you only have one database this will probably be “1”.

Make sure to change ownership and permissions of all the new files.

$ chown -R openldap:openldap /etc/ldap/slapd.d

Now start slapd back up.

$ systemctl start slapd