Manage OpenLDAP with the CLI

Presentation

The script slapd-cli provide start, stop and other commands for OpenLDAP daemon. It requires:

  • Logger, to forward messages to syslog
  • Awk, for regular expression management
  • OpenLDAP, for save, index,… tools

Configuration of this script can be done in an external file, with the same name as the slapd-cli program

The main features are:

  • start / stop / status of OpenLDAP daemon
  • check configuration
  • debug: start OpenLDAP in debug mode (stay attached)
  • reindex
  • backup / restore data
  • backup / restore configuration
  • check synchronization status
  • import test data / test configuration

Tip

This script is included by default in debian and red-hat OpenLDAP LTB packages. You can also get it from the main repository.

Usage of slapd-cli

The script can be launched like this:

slapd-cli action [optional arguments]

Tip

In OpenLDAP LTB packages, the script is available in /usr/local/openldap/sbin/slapd-cli. Anyway, with the PATH updated by /etc/profile.d/openldap-profile.sh, you can just run slapd-cli.

Action is a keyword between:

start:start the slapd server
stop:stop the slapd server
forcestop:kill the slapd server if it can’t stop
restart:restart the slapd server
debug:start the slapd server in debug mode (stay attached)
force-restart:forcestop + start
status:get the status of currently running slapd server
configtest:test configuration syntax
reindex:index or reindex database
backup:backup the data
restore:restore the data
backupconfig:backup the configuration
restoreconfig:restore the configuration
checksync:check the synchronization state of the current instance to every provider found in configuration
importflatconfigtemplate:
 import the flat template configuration file, after setting the variables
importldifconfigtemplate:
 import the ldif template configuration file, after setting the variables
convertconfig [inputfile.conf] [outputfile.ldif]:
 convert the input slapd configuration file into the equivalent ldif configuration
buildconfigtemplate [inputfile.ldif] [outputfile.ldif]:
 Get the input ldif configuration file and transform it into a template configuration
importdatatemplate:
 import the template data file, after setting the variables
lloadstart:start the load-balancer
lloadstop:stop the load-balancer
lloadstatus:get the status of currently running load-balancer

Tip

slapd-cli provides autocompletion with slapd-cli-prompt configuration file, which is deployed by default in OpenLDAP LTB packages. That way, you just have to use the tab key to find out the actions and autocomplete file names.

Installation of slapd-cli

Note

The OpenLDAP installation path is assumed to be /usr/local/openldap.

Copy script in /usr/local/openldap/sbin:

# mv slapd-cli /usr/local/openldap/sbin
# chmod +x /usr/local/openldap/sbin/slapd

Configuration file must be installed into configuration folder:

# mkdir -p /usr/local/openldap/etc/openldap
# mv slapd-cli.conf /usr/local/openldap/etc/openldap/
# chmod 600 /usr/local/openldap/etc/openldap/slapd-cli.conf

Deploy template files into configuration folder:

# mv *-template.{conf,ldif} /usr/local/openldap/etc/openldap/

Optionally, deploy load-balancer configuration file:

# mv lload.conf /usr/local/openldap/etc/openldap/
# chmod 600 /usr/local/openldap/etc/openldap/lload.conf

Optionally, enable autocomplete:

# mv slapd-cli-prompt /etc/bash_completion.d/

Finally, you can decide to use the systemd services for slapd or lload:

# mv slapd-ltb.service /lib/systemd/system/
# systemctl --system daemon-reload
# systemctl enable slapd-ltb.service

# mv lload-ltb.service /lib/systemd/system/
# systemctl --system daemon-reload
# systemctl enable lload-ltb.service

Configuration of slapd-cli

Use the external file in /usr/local/openldap/etc/openldap rather than editing directly the script.

Following parameters are about network:

Parameter Description
IP Listen address for LDAP requests. Meta character * can be used for all interfaces
PORT Listen port for LDAP requests. Use SLAPD_SERVICES if you need several ports
SSLIP Listen address for LDAPS requests. Meta character * can be used for all interfaces
SSLPORT Listen port for LDAPS requests. Use SLAPD_SERVICES if you need several ports
LDAPI_SOCKETDIR Directory where LDAPI socket is created (will be created if it does not exist)
LDAPI_SOCKETURL LDAPI socket URL (URL encoded value)
SLAPD_SERVICES list of listen LDAP URIs, space-separated. It is made of all previous variables. This parameter is corresponding to -h option in slapd launch command.

Following parameters are about OpenLDAP directories and files:

Parameter Description
SLAPD_PATH OpenLDAP main directory
DATA_PATH Data folder. You can set auto to let slapd-cli find out data paths in configuration
SLAPD_PID_FILE Path to the pid file. It must match the olcPidFile configuration parameter
SLAPD_CONF Path to the flat slapd.conf configuration file
SLAPD_CONF_DIR Path to the slapd.d folder. When defined, SLAPD_CONF won’t be used anymore
SLAPD_BIN slapd binary path
SLAPD_PARAMS Additional options for slapd. Options -h, -f, -u and -g are already managed
SLAPD_MODULEDIR Path to the library module folder
SLAPADD_BIN slapadd binary path
SLAPADD_PARAMS slapadd extra options
SLAPCAT_BIN slapcat binary path
SLAPCAT_PARAMS slapcat extra options
SLAPINDEX_BIN slapindex binary path
SLAPTEST_BIN slaptest binary path
LDAPSEARCH_BIN ldapsearch binary path

Following parameters are about other options for slapd launch:

Parameter Description
SLAPD_USER Owner user of slapd process
SLAPD_GROUP Owner group of slapd process
SLAPD_SYSLOG_LOCAL_USER Syslog local user (by default local4)
TIMEOUT Maximum delay waiting for slapd to stop. After, you need to use the forcestop action
FD_LIMIT Maximum opened file descriptors
DEBUG_LEVEL OpenLDAP log level to use in debug mode. Default is 256 (stats)
SYSTEMD_SERVICE_NAME Name of slapd service in systemd. Default is slapd-ltb.
SYSTEMD_LLOAD_SERVICE_NAME Name of lload service in systemd. Default is lload-ltb.

Following parameters are about backup and restore:

Parameter Description
BACKUP_AT_SHUTDOWN Do a backup data when slapd is stopped
BACKUP_PATH Backup folder
BACKUP_SUFFIX Backup file suffix
BACKUP_COMPRESS_EXT Extension of LDIF compressed file. No compression is done if this is empty
BACKUP_COMPRESS_BIN Binary used to compress LDIF file
BACKUP_UNCOMPRESS_BIN Binary used to uncompress LDIF file
UMASK command used for running umask
MASK mask used for computing unix permissions while backuping

Following parameters are about data provisioning:

Parameter Description
DATA_TEMPLATE_FILE Path to template file used for data provisioning
DATA_SUFFIX Suffix used for data provisioning. suffix is going to be replaced in DATA_TEMPLATE_FILE
DATA_ORGANIZATION Organization (o attribute) used for the suffix in DATA_TEMPLATE_FILE
DATA_SERVICEACCOUNT_DN Distinguished name for a service account.
DATA_SERVICEACCOUNT_PW Password for the latter service account. Password must be clear-text. It will be hashed
DATA_ADMIN_<USER>_DN
Distinguished name for an admin account. <USER> must be replaced by any unique string.
You can add any number of admin accounts by choosing as many <USER> as you want.
Admins are no different from user account except that they are member of an admin group
DATA_ADMIN_<USER>_PW Password for the latter admin account. Password must be clear-text. It will be hashed
DATA_ADMIN_<USER>_UID uid attribute value for the admin account
DATA_ADMIN_<USER>_SN surname for the admin account
DATA_ADMIN_<USER>_GN givenname for the admin account
DATA_ADMIN_<USER>_MAIL mail for the admin account
DATA_USER_<USER>_DN
Distinguished name for a user account. <USER> must be replaced by any unique string.
You can add any number of user accounts by choosing as many <USER> as you want.
DATA_USER_<USER>_PW Password for the corresponding user account. Password must be clear-text. It will be hashed
DATA_USER_<USER>_UID uid attribute value for the user account
DATA_USER_<USER>_SN surname for the user account
DATA_USER_<USER>_GN givenname for the user account
DATA_USER_<USER>_MAIL mail for the user account

Following parameters are about configuration provisioning:

Parameter Description
CONFIG_FLAT_TEMPLATE_FILE Path to the flat slapd.conf template file used for configuration provisioning
CONFIG_LDIF_TEMPLATE_FILE Path to the ldif template file used for configuration provisioning
CONFIG_SUFFIX Main data base suffix
CONFIG_FQDN Full-qualified domain name of the machine hosting slapd (used for olcSaslHost)
CONFIG_LOGLEVEL Log level, see OpenLDAP olcLogLevel directive
CONFIG_LOGFILE path of the log file, see OpenLDAP olcLogFile directive
CONFIG_MANAGERROOTDN Distinguished name for the main data base superadmin
CONFIG_MANAGERROOTPW Password for the main data base superadmin. Password must be clear-text. It will be hashed
CONFIG_CONFIGROOTDN Distinguished name for cn=config superadmin
CONFIG_CONFIGROOTPW Password for the cn=config superadmin. Password must be clear-text. It will be hashed
CONFIG_MONITORROOTDN Distinguished name for cn=monitor superadmin
CONFIG_MONITORROOTPW Password for the cn=monitor superadmin. Password must be clear-text. It will be hashed
CONFIG_DATADIR Path to the main data base folder

Following parameters are about load balancer:

Parameter Description
LLOAD_IP Listen address for LDAP requests. Meta character * can be used for all interfaces
LLOAD_PORT Listen port for LDAP requests. Use LLOAD_SERVICES if you need several ports
LLOAD_SSLIP Listen address for LDAPS requests. Meta character * can be used for all interfaces
LLOAD_SSLPORT Listen port for LDAPS requests. Use LLOAD_SERVICES if you need several ports
LLOAD_SOCKETURL socket URL for load balancer (URL encoded value)
LLOAD_SERVICES
list of listen LDAP URIs, space-separated. It is made of all previous variables.
This parameter is corresponding to -h option in slapd launch command.
LLOAD_PID_FILE Path to the pid file. It must match the olcPidFile configuration parameter
LLOAD_CONF Path to the flat lload.conf configuration file
LLOAD_CONF_DIR Path to the slapd.d lload conf folder. When defined, LLOAD_CONF won’t be used anymore

Run several OpenLDAP instances

You can run several OpenLDAP daemons on the same server.

Copy systemd script:

# cp /lib/systemd/system/slapd-ltb.service /lib/systemd/system/slapd2-ltb.service

Change PIDFile, ExecStart, ExecRestart, ExecStop values:

PIDFile=/usr/local/openldap/var/run/slapd2.pid
ExecStart=/usr/local/openldap/sbin/slapd2-cli start
ExecRestart=/usr/local/openldap/sbin/slapd2-cli restart
ExecStop=/usr/local/openldap/sbin/slapd2-cli stop

Link slapd-cli command:

# ln -s /usr/local/openldap/sbin/slapd-cli /usr/local/openldap/sbin/slapd2-cli

Copy and edit slapd-cli configuration to change at least the ports and PID file:

# cp /usr/local/openldap/etc/openldap/slapd-cli.conf /usr/local/openldap/etc/openldap/slapd2-cli.conf