Learning openldap 2.4 cn=config usage

Last time I setup a OpenLDAP server to provide authentication for a small group of servers and services I configured it using slapd.conf which is now referred as “old style”. As such, packages in Ubuntu Server 12.04 ship with cn=config and no legacy slapd.conf. Well, apparently a lot has changed, but the documentation is lagging for an almost first time ldap-admin.

What I just did was to add dynlist support, as in the support for automatically expanded alias lists for email. First problem I encountered was that I couldn’t access the cn=config entries by simply ldapsearch -x or even by binding as the database admin DN. Solution was not far away, it was documented in /usr/share/doc/slapd/README.Debian.gz; you need to authenticate yourself as root via SASL “external” mechanism as in sudo ldapsearch -Y EXTERNAL -H ldapi:///.

Next question was, what do we need to do to get this dynlist support. Admin guide has some slapd.conf examples, but we’d need cn=config examples! whitemiceconsulting.com has a nice article, but their setup seems to have a lot more than simply dynlist support to confuse a beginner. I started out with a directory for all my configuration changes (LDIF files) and wrote the first one (01-modules.ldif):

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}dynlist

Things to note here are that I had only one module to load before the dynlist module, so if you have more, just increment the previous index (you can list the existing modules using sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=module{0},cn=config'). Next you can validate the change before actually making it with sudo -u root ldapmodify -Y EXTERNAL -H ldapi:/// -vn -f 01-modules.ldif which should report:

add olcModuleLoad:
!modifying entry "cn=module{0},cn=config"

Apply the change (modification) by dropping the -n option.

Following the whitemiceconsulting.com guide next we need the schema definition containing the two attributes provided by dynlist. Not sure why whitemiceconsulting.com offers their own schema LDIF as Ubuntus (Debians actually) package contains /etc/ldap/schema/dyngroup.ldif. You can import by: sudo -u root ldapadd -Y EXTERNAL -H ldapi:/// -f 02-dyngroup.ldif.

Last item is to add the overlay support into your database, which is pretty straightforward as noted in whitemiceconsulting.com article. You just need to know what database to add it in. Luckily you only have one at this point, or if you have more you probably know more than to read this post.


dn: olcOverlay=dynlist,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcOverlay: dynlist

As you probably guessed from the absence of “changetype” this is an add, so apply it using sudo -u root ldapadd -Y EXTERNAL -H ldapi:/// -f 03-dbconfig.ldif.

Next you should probably test out the dynlist support. I had an already built database of users and email addressses for this, but I cannot paste it here.



  1. zubin
    Posted 2012-09-27 at 21:38 | Permalink | Reply

    Excellent Post.. Thanks for the information

  2. iguanajazz
    Posted 2015-08-11 at 20:46 | Permalink | Reply

    Thank you so much!! Very useful!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: