OpenLDAP 2.4 Chain Overlay Minimal LDIF Configuration

configurationopenldap

There's almost no information about how Chain overlays are configured in OpenLDAP LDIF backend. What's the minimal configuration required?

Best Answer

The only way to work this out is by converting an old style configuration file into LDIF style. This show's quite a complex structure which isn't well documented.

The structure creates LDAP database entries in the frontend to intercept referrer responses.

To complicate matters, a schema validation conflicts with OpenLDAP's own configuration requirements (olcDbURI can not be used in the first entry). To work around this, the offline/direct modification must be made but remember that editing the LDIF directly with a text editor is strongly discouraged - See Working with OpenLDAP 2.4 LDIF config backend

If you're on Ubuntu/Debian, ensure you load the back_ldap module - OpenLDAP Chain not found

Create "chainoverlay.ldif":

dn: olcOverlay=chain,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: chain
olcChainCacheURI: FALSE
olcChainMaxReferralDepth: 1
olcChainReturnError: TRUE

As root, import indirectly:

# ldapadd -Y EXTERNAL -H ldapi:/// -f chainoverlay.ldif

Create "defaultldap.ldif":

dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: ldap

Import defaultldap.ldif offline (This is to work around schema validation):
```
# service slapd stop
# slapadd -b cn=config -l defaultldap.ldif
```

Fix a weird entry and perms:

# rm "/etc/ldap/slapd.d/cn=config/olcDatabase={-1}over.ldif"
# chown -R openldap:openldap "/etc/ldap/slapd.d/cn=config"

Start slapd:
```
# service slapd start
```

Create a chain intercept configuration - chainedserver.ldif:

dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcDatabaseConfig
objectClass: olcConfig
objectClass: top
objectClass: olcChainDatabase
olcDatabase: ldap
olcDbURI: ldap://areferredserver.com

Related Solutions

Ubuntu – Setting up OpenLDAP + slapo-translucent on Ubuntu 11.04

If it helps you to get started, it's still possible to configure slapd in the old-fashioned way with slapd.conf and then convert that to new format.

slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d

Above would convert /etc/ldap/slapd.conf to the new format, putting the needed data files in /etc/ldap/slapd.d. Just remember to create the destination directory before running the command.

Ubuntu – Restoring openldap configuration from ldif file

Looking through the documentation it looks as if you may be able to use the -F flag to slapadd to specify a configuration directory, rather than a configuration file:

   -F confdir
          specify a config directory.  If both -f and  -F  are  specified,
          the  config  file will be read and converted to config directory
          format and written  to  the  specified  directory.   If  neither
          option  is  specified,  an  attempt  to  read the default config
          directory will be made before trying to use the  default  config
          file. If a valid config directory exists then the default config
          file is ignored. If dry-run mode is also specified,  no  conver‐
          sion will occur.

If this doesn't work (e.g., you're missing the contents of your cn=config tree), possibly this thread has some suggestions.

Best Answer

Related Solutions

Ubuntu – Setting up OpenLDAP + slapo-translucent on Ubuntu 11.04

Ubuntu – Restoring openldap configuration from ldif file

Related Topic