Tech @ languidnights - (open)LDAP lessons

I've set up LDAP a couple times in a personal capacity, and I'm sharing this if anyone's interested, or if I need to come back to it.

Table of Contents

Adding a search index field
Add A User
Thanks to

Adding a search index field

I've had slapd running for a long time without any functional errors, but the daemon would often tell me that the mail field wasn't indexed and it could be. Now, I'm not the sort of target that would be worth denial-of-service attacks against my LDAP database, but it's still worthwhile to clean it up (if for no other reason that to tidy syslog!).

slapd[pid]: <= mdb_equality_candidates: (mail) not indexed

To fix this, I set about scouring the internet. Most of the results I found were how to fix the issue in the 1995-era technical reference or discussions about modifying "slapd.conf" and running slaptest. I didn't use a semi-modern version of openldap just to resurrect the old config format, use it, then throw it back away! There had to be a better option. And there is! I found hints on Debian's wiki which led me to my ultimate solution to this annoyance. Debian used a heredoc but I'm nowhere near confident in either my typing nor my copy-pasting to use one, so I created a file with the interesting index.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: mail pres,sub,eq

Then, I used ldapmodify to update add the index to the LDAP directory.

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f add_index.ldif

All good now, nice clean logfiles and an LDAP doesn't have to struggle so much!

Add A User

Create an adduser.ldif file with the following info (for my mail and user setup, yours may vary). Substite the values in ${ .. } with pertinent details of your site. Then execute the ldapmodify command. This will ask for your password on the command line.

ldapmodify -x -D "${admin LDAP path}" -W -H ldapi:/// -f adduser.ldif

Example adduser.ldif

dn: uid=${username},ou=People,dc=${domain},dc=${tld}
changetype: add
objectClass: inetOrgPerson
objectClass: person
objectClass: posixAccount
ou: People
uid: ${username}
cn: ${user given name}
sn: ${user family name}
givenName: ${user given name}
displayName: ${user display name}
initials: ${user initials}
uidNumber: ${user numeric uid}
gidNumber: ${user numeric gid}
homeDirectory: ${full path to user home directory}
loginShell: ${full path to user login shell}
mail: ${user email address}

Thanks to

I'd like to thanks openLDAP for the relatively simple directory servers/clients and Debian's wiki for the information I needed to make sense of the configuration.