OpenLDAP

Runs an OpenLDAP server for custom user management. The LDAP server listens by default on the srv network for LDAP requests.

Components

  • OpenLDAP server
  • ldapvi utility to edit live LDAP records

Configuration

The main OpenLDAP configuration is broken into parts. Some of these are left empty by default and may be edited by service users:

  • /etc/openldap/slapd.00acl-local.conf allows to define custom ACLs which precede the default ACLs
  • /etc/openldap/slapd.20main-local.conf allows to add main configuration settings after the default configuration
  • /etc/openldap/slapd.40backend-local.conf allows to override the default backend configuration, e.g. to define custom indexes.
  • /etc/openldap/listen_urls contains a list of LDAP URIs to listen on, one per line. Listening on srv addresses and localhost is added automatically.

In addition, service users may also place custom schema files into /etc/openldap/schema.

The LDAP database suffix (as found in /etc/openldap/suffix, e.g. cn=example,cn=com) can only be changed by Flying Circus support staff and requires the database to be rebuilt.

Interaction

After configuration changes, invoke sudo /etc/init.d/slapd restart as service user to activate the new configuration.

To get all slapd indexes rebuilt during server restart, invoke sudo slapd-restart-reindex.

Monitoring

We monitor the reachability of OpenLDAP via IPv4 and IPv6 via the srv network by default. Usually these checks are sufficient, so there is no custom monitoring configuration required.