Page tree
Skip to end of metadata
Go to start of metadata


Slapdconf Basics

TODO: assume the use of slapdconf utilities (

Ubuntu LTS is assumed.

In ubuntu run the commands as root (using the ldapi:/// and EXTERNAL SASL authentication)

Looking Around

Get global server configuration:

$ slapdconf get-server-prop
olcLogLevel : stats
olcTLSCACertificateFile : /etc/ldap/tls/cacert.pem
olcTLSCertificateFile : /etc/ldap/tls/
olcTLSCertificateKeyFile : /etc/ldap/tls/
olcTLSCipherSuite : NORMAL

List configured suffixes:

$ slapdconf list-suffixes

Get suffix configuration:

$ slapdconf get-suffix-prop dc=example,dc=com
olcDatabase : {1}hdb
olcDbDirectory : /var/lib/ldap/example
olcRootDN : cn=admin,dc=example,dc=com
olcRootPW : secret
olcAccess :
  {0}to attrs=userPassword,shadowLastChange by dn="uid=idm,ou=Administrators,dc=example,dc=com" write by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by anonymous auth by self write by * none
  {1}to dn.base="" by * read
  {2}to dn.subtree="ou=people,dc=example,dc=com" by dn="uid=idm,ou=Administrators,dc=example,dc=com" write
  {3}to dn.subtree="ou=groups,dc=example,dc=com" by dn="uid=idm,ou=Administrators,dc=example,dc=com" write
  {4}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by dn="uid=idm,ou=Administrators,dc=example,dc=com" read by self read by * none
olcDbConfig :
  {0}set_cachesize 0 2097152 0
  {1}set_lk_max_objects 1500
  {2}set_lk_max_locks 1500
  {3}set_lk_max_lockers 1500
olcDbIndex :
  objectClass eq
  entryUUID eq
  entryCSN eq

Database and Suffix Management

Create Database and Suffix

To create new suffix:

$ slapdconf add-module back_mdb
$ mkdir /var/lib/ldap/example
$ chown openldap:openldap /var/lib/ldap/example
$ slapdconf create-suffix dc=example,dc=com --dbDir /var/lib/ldap/example --dbType mdb --rootPassword secret

This command loads the back_mdb module that is needed to support database of type mdb. Then it creates a directory for the new database and sets correct permissions. The last line creates the database and suffix in the server.

Delete Database and Suffix

To delete a suffix:

$ service slapd stop
$ slapdadm delete-suffix dc=example,dc=com
$ service slapd start

Deleting a suffix

 OpenLDAP does not have yet a support for deleting a database (and therefore also suffix) from a running server. The server needs to be stopped, database files deleted and configuration needs to be updated manually. The slapdadm has an option to do this.

Populating the Suffix

When the suffix is created it is completely empty. Not even the base object is there. The following command creates the basic objects of the suffix:

ldapgenerate -D "cn=admin,dc=example,dc=com" -w secret -i -s dc=example,dc=com

The suffix root user must be used explicitly when creating a base object for the suffix. The EXTERNAL SASL authentication will not work here.


Increasing Mdb maximum size:

$ slapdconf set-suffix-prop dc=example,dc=com olcDbMaxsize:1073741824

(requires server restart to apply)

Setting up VLV

slapdconf add-module sssvlv
slapdconf add-overlay dc=example,dc=com sssvlv olcSssVlvConfig


See current log level:

$ slapdconf get-log-level
olcLogLevel : stats

Set a log level:

$ slapdconf set-log-level stats stats2

The log levels are:

  • trace
  • packets
  • args
  • conns
  • BER
  • filter
  • config
  • ACL
  • stats
  • stats2
  • shell
  • parse
  • sync
  • none

Set maximum logging:

$ slapdconf set-log-level 65535
  • No labels