slapd-config
This role helps set up the entire configuration for an OpenLDAP server. You need to have already created the configuration and started the slapd service. For help with this, check the slapd-base.
The slapd-config will directly set the main configuration in cn=config and load necessary global modules like mdb if they are not built-in. After that, it will create and configure the monitoring backend and an MDB (Memory-Mapped Database), which can also have overlays.
Requirements
You need a Linux distribution that uses dpkg or pacman.
Role Variables
Here are some important role variables:
| Name |
Default/Required |
Description |
slapd_enable_monitor |
true |
Load the monitor module (if needed) and set up the monitor database. |
slapd_modules_path |
/usr/lib/ldap |
Path to dynamic modules needed if not compiled in. |
slapd_additional_modules |
|
Load these extra modules (besides MDB and monitor) if not included. |
slapd_olc_rootdn_password |
:heavy_check_mark: |
Password to access the configuration. Not automatically provided by slapd-base. |
slapd_monitor_rootdn_password |
:heavy_check_mark: |
Password for the monitor database. Will be hashed automatically. |
slapd_mdb_rootdn_password |
:heavy_check_mark: |
Password for the MDB database. Will be hashed automatically. |
slapd_schemas |
|
List of paths to schema files to load. |
slapd_global_config |
See description |
Each global configuration option for slapd. |
slapd_olc_config |
See description |
Each configuration value for the OLC database. |
slapd_monitor_config |
See description |
Each configuration value for the monitor database. |
slapd_mdb_config |
:heavy_check_mark: |
Each configuration value for the MDB database. |
slapd_mdb_overlays |
See description |
Each module for the MDB. |
slapd-base variables
Set these if slapd-base was not run before this step. All are required.
| Name |
Default/Required |
Description |
slapd_run_dir |
:heavy_check_mark: |
Directory for runtime files like args file and pid file. |
slapd_ldapi_socket |
:heavy_check_mark: |
Unix socket for local slapd management. |
slapd_mdb_dir |
:heavy_check_mark: |
Directory for the MDB data. |
slapd_olc_dir |
:heavy_check_mark: |
Path for the LDIF files of the OLC. |
slapd_olc_rootdn |
:heavy_check_mark: |
RootDN for the OLC. |
Global configuration options
The main configuration for slapd OLC is organized into sections.
General configuration
| Name |
Default/Required |
Description |
olcConfigFile |
|
Path to a configuration file to load. Does not apply if using OLC. |
olcConfigDir |
{{slapd_olc_dir}} |
Path to OLC database files. |
olcArgsFile |
{{slapd_run_dir}}/slapd.args |
slapd will write its arguments to this file. |
olcPidFile |
{{slapd_run_dir}}/slapd.pid |
slapd will write its PID to this file. |
olcGentleHUP |
FALSE |
If TRUE, slapd won't kill existing connections on a SIGHUP, but will wait for them to finish. |
olcServerID |
0 |
Server ID. Needed only for multi-master replication. |
| Name |
Default/Required |
Description |
olcAllows |
|
Features that are allowed. |
olcDisallows |
|
Features that are disallowed. |
olcRequires |
bind |
Conditions that must be met. |
olcRestrict |
|
List of restricted operations. |
olcSecurity |
ssf=1 simple_bind=128 |
Specify security requirements. |
olcAuthIDRewrite |
|
Convert simple usernames to LDAP DN for auth purposes. |
olcAuthzRegexp |
|
Convert simple usernames to LDAP DN for auth purposes, can be entered multiple times but requires a server restart. |
olcAuthzPolicy |
none |
Rules for Proxy Authorization. |
olcLocalSSF |
300 |
Assumed SSF for LDAPI connections. |
olcPasswordHash |
{SSHA} |
Hash algorithms for password modifications. |
olcPasswordCryptSaltFormat |
%s |
Salt format for password hashing with crypt(). |
TLS configuration
| Name |
Default/Required |
Description |
olcTLSCertificateFile |
|
Public key file for slapd. |
olcTLSCertificateKeyFile |
|
Private key for slapd. |
olcTLSRandFile |
|
File for random bits when urandom is not available. |
olcTLSDHParamFile |
|
File with primes for Diffie-Hellman key exchange. |
olcTLSCipherSuite |
|
TLS cipher suites to use. |
olcTLSProtocolMin |
|
Minimum required TLS version. Default is the highest possible level. |
olcTLSCACertificateFile |
|
File with trusted certificate authorities. |
olcTLSCACertificatePath |
|
Directory with files for trusted certificate authorities. |
olcTLSCRLCheck |
none |
Whether to check CA's CRL on connections. |
olcTLSVerifyClient |
never |
When to verify client identity. |
Logging configuration
| Name |
Default/Required |
Description |
olcLogLevel |
stats |
Logging level for each subsystem. |
olcLogFile |
|
Log file location. slapd always logs to stderr. |
olcPluginLogFile |
|
Log file for plugin output. |
olcReplogFile |
|
File for the replog for slurpd. |
Threading configuration
| Name |
Default/Required |
Description |
olcConcurrency |
|
Threading hint for the OS, not used under Linux. |
olcListenerThreads |
1 |
Number of threads for listening for connections, 1 is enough for up to 16 cores. |
olcThreads |
16 |
Number of CPU threads for processing requests. |
olcToolThreads |
1 |
CPU threads for tool mode; shouldn't exceed the number of cores. |
Timeouts and limits
| Name |
Default/Required |
Description |
olcIdleTimeout |
0 |
Seconds a client can be idle before being disconnected. |
olcWriteTimeout |
0 |
Seconds a client with open writes can be idle before being disconnected. |
olcTimeLimit |
3600 |
Maximum seconds slapd can spend on a request. Allows an unlimited value. |
olcSizeLimit |
500 |
Maximum number of entries to return from a search. |
Connections
| Name |
Default/Required |
Description |
olcConnMaxPending |
50 |
Maximum number of pending requests in anonymous sessions. |
olcConnMaxPendingAuth |
1000 |
Maximum number of pending requests in authenticated sessions. |
olcTCPBuffer |
|
Size of the TCP buffer, system may tune this automatically. |
olcSockbufMaxIncoming |
262143 |
Max size of the LDAP PDU for anonymous sessions. |
olcSockbufMaxIncomingAuth |
4194303 |
Max size of the LDAP PDU for authenticated sessions. |
SASL
| Name |
Default/Required |
Description |
olcSaslHost |
|
Fully qualified domain name for SASL processing. |
olcSaslRealm |
|
SASL realm for processing. |
olcSaslSecProps |
|
Cyrus SASL security properties. |
olcSaslAuxprops |
|
Auxiliary plugins for authentication lookups. |
Indexing
| Name |
Default/Required |
Description |
olcIndexSubstrIfMinLen |
2 |
Minimum length for subinitial and subfinal indices. |
olcIndexSubstrIfMaxLen |
4 |
Maximum length for subinitial and subfinal indices. |
olcIndexSubstrAnyLen |
4 |
Length for subany indices, longer attributes are processed in parts. |
olcIndexSubstrAnyStep |
2 |
Steps for subany lookups, the offset for the filter string parts processed. |
olcIndexIntLen |
4 |
Key length for ordered integer indices. |
Miscellaneous
| Name |
Default/Required |
Description |
olcAttributeOptions |
x-hidden lang- |
Tagging options for attributes or option tag/range prefixes. |
olcReferral |
|
Referral URL when slapd can't find a local database. |
olcReverseLookup |
FALSE |
Enable reverse lookups for client names that are not verified. |
olcRootDSE |
|
Name of an LDIF file containing user-defined attributes for the root DSE. |
olcReadOnly |
FALSE |
Set server to read-only mode. Warning: Once set true, cannot change back without database modification and restarting slapd! |
olcLdapSyntaxes |
|
Unclear purpose; no documentation found online. |
Database configuration values
These values apply to every database (OLC, monitor, and MDB). Here’s a summary of them. Default values for each database are below.
General
| Name |
Required |
Description |
olcSuffix |
:heavy_check_mark: |
DN suffix for queries sent to the database. Not needed for OLC and monitor. |
olcReadOnly |
:heavy_check_mark: |
Sets this database to read-only mode. Changes are not allowed. |
olcHidden |
:heavy_multiplication_x: |
Prevents any queries to this database, slapd will deny its existence. |
olcLastMod |
:heavy_check_mark: |
Whether slapd maintains attributes like modfiersName, modifyTimestamp, etc. |
olcSubordinate |
:heavy_multiplication_x: |
Whether this database is a subordinate to another database. |
Security
| Name |
Required |
Description |
olcSecurity |
:heavy_multiplication_x: |
Specify required security strength factors. |
olcRootDN |
:heavy_check_mark: |
Name of the RootDN for this database. |
olcRootPW |
:heavy_check_mark: |
Hashed password for the RootDN of this database. |
olcRequires |
:heavy_multiplication_x: |
Conditions that need to be met. |
olcRestrict |
:heavy_multiplication_x: |
List of restricted operations. |
olcAddContentAcl |
:heavy_check_mark: |
Whether to run ACL checks on entry content that is being added. |
olcAccess |
:heavy_check_mark: |
Set of ACL rules for this database. |
Timeouts and limits
| Name |
Required |
Description |
olcTimeLimit |
:heavy_multiplication_x: |
Maximum time slapd can spend on a request; allows an unlimited value. |
olcSizeLimit |
:heavy_multiplication_x: |
Max number of entries to return from a search. |
olcLimits |
:heavy_multiplication_x: |
Time and size limits based on operation initiator or base DN. |
Syncrepl
| Name |
Required |
Description |
olcSyncrepl |
:heavy_multiplication_x: |
Main configuration for Syncrepl. |
olcUpdateDN |
:heavy_multiplication_x: |
DN allowed to modify the replica. Not the rootDN. |
olcSyncUseSubentry |
:heavy_multiplication_x: |
Store the Syncrepl contextCSN in a subentry instead of the main entry. |
olcUpdateRef |
:heavy_multiplication_x: |
Referral to return if slapd is asked to modify a replicated database. |
olcMirrorMode |
:heavy_multiplication_x: |
Set this database to mirror mode. |
slurpd
| Name |
Required |
Description |
olcReplica |
:heavy_multiplication_x: |
|
olcReplicaArgsFile |
:heavy_multiplication_x: |
|
olcReplicaPidFile |
:heavy_multiplication_x: |
|
olcReplicationInterval |
:heavy_multiplication_x: |
|
olcReplogFile |
:heavy_multiplication_x: |
|
Miscellaneous
| Name |
Required |
Description |
olcSchemaDN |
:heavy_multiplication_x: |
DN for the subschema entry for the entries. |
olcMaxDerefDepth |
:heavy_multiplication_x: |
Max aliases to follow. |
olcPlugin |
:heavy_multiplication_x: |
Load slapi plugins. |
olcMonitoring |
:heavy_multiplication_x: |
Collect monitoring data for this database. |
olcExtraAttrs |
:heavy_multiplication_x: |
Specify attributes to return when not searched for. |
MDB settings
These settings apply only to the MDB database!
| Name |
Required |
Default |
Description |
olcDbDirectory |
:heavy_check_mark: |
{{slapd_mdb_dir}} |
Path to the database directory. |
olcDbNoSync |
:heavy_multiplication_x: |
TRUE |
Don't sync immediately after data is received. |
olcDbCheckpoint |
:heavy_multiplication_x: |
8192 15 |
Frequency (KB/minutes) to flush the database to disk. |
olcDbMaxReaders |
:heavy_multiplication_x: |
|
Max number of threads accessing the DB simultaneously. |
olcDbMaxSize |
:heavy_multiplication_x: |
|
Max database size in bytes. |
olcDbMode |
:heavy_multiplication_x: |
0600 |
File mode for database files. |
olcDbSearchStack |
:heavy_multiplication_x: |
16 |
Stack depth for search filter evaluations. |
olcDbRtxnSize |
:heavy_multiplication_x: |
|
Number of entries for one read transaction. |
olcDbIndex |
:heavy_multiplication_x: |
|
Indices to create for this database. |
Default values for each database
| Name |
Frontend default |
OLC default |
Monitor default |
MDB default |
olcSuffix |
|
|
|
:exclamation: |
olcReadOnly |
FALSE |
FALSE |
|
|
olcHidden |
FALSE |
|
|
|
olcLastMod |
TRUE |
TRUE |
|
|
olcSubordinate |
|
|
|
|
olcSecurity |
|
|
|
|
olcRootDN |
|
{{slapd_olc_rootdn}} |
cn=root,cn=monitor |
cn=root,{{olcSuffix}} |
olcRootPW |
|
[Hashed password] |
[Hashed password] |
[Hashed password] |
olcRequires |
|
|
|
|
olcRestrict |
|
|
|
|
olcAddContentAcl |
TRUE |
TRUE |
|
|
olcAccess |
'to * by * read' |
'to * by * none' |
'to * by * none' |
'to * by * none' |
olcTimeLimit |
|
|
|
|
olcSizeLimit |
|
|
|
|
olcLimits |
|
|
|
|
olcSyncrepl |
|
|
|
|
olcUpdateDN |
|
|
|
|
olcSyncUseSubentry |
FALSE |
FALSE |
|
|
olcUpdateRef |
|
|
|
|
olcMirrorMode |
FALSE |
|
|
|
olcReplica |
|
|
|
|
olcReplicaArgsFile |
|
|
|
|
olcReplicaPidFile |
|
|
|
|
olcReplicationInterval |
|
|
|
|
olcReplogFile |
|
|
|
|
olcSchemaDN |
cn=Subschema |
|
|
|
olcMaxDerefDepth |
15 |
15 |
|
|
olcPlugin |
|
|
|
|
olcMonitoring |
FALSE |
FALSE |
|
|
olcExtraAttrs |
|
|
|
|
Dependencies
You must have schema2ldif installed.
Example Playbook
- hosts: ldap
roles:
- slapd-config
slapd_modules_path: /usr/lib/openldap
slapd_olc_rootdn_password: water
slapd_mdb_rootdn_password: water
slapd_monitor_rootdn_password: water
slapd_additional_modules: [ 'memberof' ]
slapd_mdb_config:
olcSuffix: "dc=example,dc=com"
slapd_mdb_overlays:
memberof:
olcOverlay: memberof
objectClass: olcMemberOf
olcMemberOfDangling: ignore
License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
