LDAP configuration

In contrast to many other server configurations OpenLdap supports parameter configuration within its own database backend. In other words: Some parameters are not being stored in configuration files.

Actually OpenLdap still supports an alternate configuration file based approach which may be activated. Its use however is discouraged according to the documentation:


The older style slapd.conf(5) file is still supported, but its use is deprecated and support for it will be withdrawn in a future OpenLDAP release.

The DIT style configuration may be altered by LDAP clients like ldapmodify using .ldif files. An alternate way requires altering the server's configuration /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif. We start by gathering required information. Note: The ldapsearch command is part of the openldap-utils package:

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

# {0}config, config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
olcRootDN: cn=admin,cn=config

# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
olcRootDN: cn=admin,dc=hdm-stuttgart,dc=de
olcRootPW: {SSHA}7M0gUyHOH7cfK1z9amqgK0uQcn84AuYw

The above lines appear near in the tail section. We see two databases {0} and {1} representing two different DITs namely cn=config (the configuration database) and dc=hdm-stuttgart,dc=de (containing our actual directory data).

The configuration database does have a olcRootDN: cn=admin,cn=config entry but a corresponding olcRootPW attribute is yet missing. This limits configuration access to localhost.

External access e.g. by Apache Directory Studio requires adding this credential attribute. This first-time (bootstrapping) configuration must be done locally by means of an LDIF file adding a (possibly different) hashed password:

root@sdi8a:~# cat ~/add_olcRootPW.ldif
dn: olcDatabase={0}config,cn=config
add: olcRootPW
olcRootPW: {ssha}pHE+EPOG2gyRyOgjvFqsWOb5zGsGl9CD

Activating this configuration my be effected by using ldapmodify:

root@sdi8a:~# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f ~/add_olcRootPW.ldif
modifying entry "olcDatabase={0}config,cn=config"

This activation in turn enables a new account:

Bind DN:


Bind password


Base DN


When configuring a connection to access this configuration database you may have to untick Apache Directory Studio's Get base DNs from Root DSE box in the Browser Options tab. Then configure "cn=config" in the Base DN: manually.

We may now dynamically alter ourserver configuration parameters remotely using e.g. Apache directory studio:

A prominent configuration change candidate is our server's log level: Depending on your success during subsequent exercises you may want to adjust olcLogLevel in cn=config appropriately.


Using using olcLogFile will not override OpenLdap using your host's syslog facility: The file will be created (provided write permission is being granted) but log messages will still be written to /var/log/syslog.

Thus creating a separate ldap.log file requires configuring your system's syslog daemon appropriately. Current systems allow for creating a file i.e. /etc/rsyslog.d/slapd.conf containing the desired log data redirection. Do not forget to restart your service.