OpenLDAP#

Runs an OpenLDAP server for custom user management. The LDAP server listens by default on the srv network for LDAP requests.

Components#

  • OpenLDAP server

  • ldapvi utility to edit live LDAP records

Configuration#

The main OpenLDAP configuration is broken into parts. Some of these are left empty by default and may be edited by service users:

  • /etc/openldap/slapd.00acl-local.conf allows to define custom ACLs which precede the default ACLs

  • /etc/openldap/slapd.20main-local.conf allows to add main configuration settings after the default configuration

  • /etc/openldap/slapd.40backend-local.conf allows to override the default backend configuration, e.g. to define custom indexes.

  • /etc/openldap/listen_urls contains a list of LDAP URIs to listen on, one per line. Listening on srv addresses and localhost is added automatically.

In addition, service users may also place custom schema files into /etc/openldap/schema.

The LDAP database suffix (as found in /etc/openldap/suffix, e.g. cn=example,cn=com) can only be changed by Flying Circus support staff and requires the database to be rebuilt.

Interaction#

After configuration changes, invoke sudo /etc/init.d/slapd restart as service user to activate the new configuration.

To get all slapd indexes rebuilt during server restart, invoke sudo slapd-restart-reindex.

Monitoring#

We monitor the reachability of OpenLDAP via IPv4 and IPv6 via the srv network by default. Usually these checks are sufficient, so there is no custom monitoring configuration required.