OpenLDAP#
Runs an OpenLDAP server for custom user management. The LDAP server listens by default on the srv network for LDAP requests.
Components#
OpenLDAP server
ldapvi utility to edit live LDAP records
Configuration#
The main OpenLDAP configuration is broken into parts. Some of these are left empty by default and may be edited by service users:
/etc/openldap/slapd.00acl-local.conf
allows to define custom ACLs which precede the default ACLs/etc/openldap/slapd.20main-local.conf
allows to add main configuration settings after the default configuration/etc/openldap/slapd.40backend-local.conf
allows to override the default backend configuration, e.g. to define custom indexes./etc/openldap/listen_urls
contains a list of LDAP URIs to listen on, one per line. Listening on srv addresses and localhost is added automatically.
In addition, service users may also place custom schema files into
/etc/openldap/schema
.
The LDAP database suffix (as found in /etc/openldap/suffix
, e.g.
cn=example,cn=com
) can only be changed by Flying Circus support staff and
requires the database to be rebuilt.
Interaction#
After configuration changes, invoke sudo /etc/init.d/slapd restart as service user to activate the new configuration.
To get all slapd indexes rebuilt during server restart, invoke sudo slapd-restart-reindex.
Monitoring#
We monitor the reachability of OpenLDAP via IPv4 and IPv6 via the srv network by default. Usually these checks are sufficient, so there is no custom monitoring configuration required.