OpenLDAP uses a cn=config DIT to configure the server since version 2.4. I’m always into new stuff, but I must admit that I rather liked editing /etc/ldap/slapd.conf to configure the server. Anyhow being able to store ACLs in the tree is a big plus, but for configuring minor stuff (like indexes) it makes live more difficult.

The following site was an excellent tool in helping me configure OpenLDAP. For a list of current attributes names, see for instance here

Configuring an index⌗

In OpenLDAP you can configure a index by using the following in slapd.conf

 index cn,uid,uidNumber eq

And then reload your ldap server. So how to translate this to the new style of configuring openldap?

Lets first see what the current indexed attributes are

# ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb olcDbIndex
Enter LDAP Password: 
dn: olcDatabase={1}hdb,cn=config
olcDbIndex: objectClass eq

We look in the cn=config tree as the admin user. All OpenLDAP items are prefixed with olc (Open Ldap Configuration?). In our first defined database there is only an index on the objectClass.

We can now use ldapmodify to add indexes (we add three in this case):

# ldapmodify -x -D cn=admin,cn=config -W
Enter LDAP Password: 
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: cn eq
olcDbIndex: uid eq
olcDbIndex: uidNumber eq

modifying entry "olcDatabase={1}hdb,cn=config"

^D

Recheck what we’ve got

# ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb olcDbIndex
Enter LDAP Password: 
dn: olcDatabase={1}hdb,cn=config
olcDbIndex: objectClass eq
olcDbIndex: cn eq
olcDbIndex: uid eq
olcDbIndex: uidNumber eq

Looking good. Notice that you don’t have to restart your ldap server as this change is being picked up at once.

OpenLDAP 2.4 cn=config

Configuring an index⌗