Since 2.3, OpenLDAP uses a configuration engine called slapd-config. They said that use it make all LDAP configuration can be changed on fly.
This is the header of /etc/ldap/slapd.d/cn=config.ldif:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
I've changed data in it and some other files which have that header, after restarting slapd, my changes took effects.
Is there anything else happen if I change those files manually? If I don't need 'change on fly', should I edit those file manually instead of using ldapmodify?
Which application generated those files, and when?
NOTE: I'm using openldap-2.4.28 on Ubuntu 12.04
Best Answer
If you change the LDIF files in cn=config manually, their contents and checksums won't match, which is not fatal, but is annoying when using tools such as slapcat.
Modifying cn=config the proper way with ldapmodify is very painful, and you'll end up accumulating tons of carefully hand-crafted, single-purpose, disposable LDIF files. Compared to just editing slapd.conf it's a nightmare. Regardless, if you need to make runtime configuration changes, ldapmodify is your only option. However, if you can afford some downtime, you have two other poisons to choose from.
First, there's the highly unsupported but quick and dirty method which works fine for initial OpenLDAP configuration if you know what you're doing:
If slapd starts, it should work ok, but it's always a good idea to tail /var/log/syslog when starting the service:
You can fix the checksum errors using slapcat and slapadd as described below.
Second, there's a less unsupported method which involves use of slapcat and slapadd (modified from these instructions):
If slapadd succeeds without errors, you can migrate to the modified slapd.d directory. According to this thread slapadd only adds data, so overwriting the original slapd.d directory contents is not possible. Therefore we need to move the directories around a bit:
These two more or less unsupported methods make living with cn=config slightly more bearable.