====== Install openLDAP with runtime configuration ======

<note warning>There's a bug in Lenny which doesn't allows to use that kind of configuration. See [[../maintenance/upgrade_to_lenny#openldap|upgrade to Lenny, openLDAP]]</note>

In openLDAP 2.3 the runtime configuration was introduced. This allow to configure openLDAP on the fly without restarting it.


===== Install =====

You need the package [[deb>ldap-server]]. When Debian configuration asked me an administrator password I just hit <enter> twice (the password is asked twice) and it did not ask me no more. I want to configure all by myself.

When the installer is finished, openLDAP is running ... Stop it ! ''/etc/init.d/slapd stop''. We work offline.

===== Standard configuration =====

We first configure openLDAP as usual with ''/etc/ldap/slapd.conf''. There's no need to do fine configuration now, but only to configure the first database you'll need and an admin account with it's password.

So I won't give my full configuration cause there's too many directives that comes from default configuration. As I use ''hdb'' backend, I did add the module ''back_hdb'' :

  modulepath      /usr/lib/ldap
  moduleload      back_bdb
  moduleload      back_hdb # I added this line

You may want to change you're suffix, like "o=tchetch" :

  suffix          "o=tchetch"

I'm used to change directories of server's data, so I put in ''/srv/ldap/db'' (and ''/srv/ldap/ldif'' is kept for setup file, export file, ...)

  directory       "/srv/ldap/db/"

And of course correct all ACL where needed, usually ''cn=admin,<old suffix>'' to ''cn=admin,o=tchetch''. It appears twice in the file.



===== Creating default database =====

I start my database out of the file ''root.ldif'' that I create in ''/srv/ldap/ldif''. If you've planned you're openLDAP server, you may already have all the ''o'', ''ou'', ''dc'', ... This could be added directly in this file. If, like me, you didn't have planned anything, you may just want to have the root node and the administrator account (''cn=admin,o=tchetch'', as specified before). So here is mine :

  dn: o=tchetch
  objectclass: organization
  o: tchetch
  
  dn: cn=admin,o=tchetch
  objectclass: person
  cn: admin
  sn: Administrator
  userpassword: {SSHA}t7NuEH2vOb0M6w/cF8hkxSSvnaPLJrAX

First the userpassword in the example is ''abcd1234'', this is not the real password I used. Secondly I produced this password with 

  tchetch:~$ sudo slappasswd
  New password: abcd1234
  Re-enter new password: abcd1234 
  {SSHA}t7NuEH2vOb0M6w/cF8hkxSSvnaPLJrAX

Now that you're done with your initial ldif file you can build up your database, for that we have ''slapadd'' which is an offline tools to add data (and initialize) an openLDAP database :

  tchetch:~$ sudo slapadd -F /etc/ldap/slapd.conf -l /srv/ldap/ldif/root.ldif
  tchetch:~$ sudo chown openldap:openldap -R /srv/ldap/db






===== Configure openLDAP for runtime =====

Now you're database is ready, it's time to set up the runtime configuration. First you need to create a the directory ''/etc/ldap/slapd.d'' :

  drwxr-x---  3 openldap openldap 4096 2008-10-16 11:49 slapd.d

So it was created like that :

  tchetch:~$ sudo mkdir /etc/ldap/slapd.d
  tchetch:~$ sudo chmod 0750 /etc/ldap/slapd.d
  tchetch:~$ sudo chown openldap:openldap /etc/ldap/slapd.d

And now we convert our good old ''/etc/ldap/slapd.conf'' to our brand new ''/etc/ldap/slapd.d'' configuration :

  tchetch:~$ sudo slapd -u openldap -g openldap -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/

Don't remove ''/etc/ldap/slapd.conf'', the init script need it to get PID file, but ''slapd'' will first check if ''/etc/ldap/slapd.d'' exists and use it, so it won't run take parameters from slapd.conf !

As the original configuration was kept as little as possible, there are configurations to set in ''slapd.d''. We did not specify which user was the root user in any database. So we edit ''/etc/ldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif'' and ''/etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif''((If you can access ''cn=config'', you can configure every database from a ldap client, so you don't need to edit this file)) to add (or modify if already in) ''olcRootDN: cn=admin,o=iro''.

By setting this on ''olcDatabase={0}config.ldif'' we can now access configuration with standard LDAP clients, like [[http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page|phpLDAPadmin]]((I've made a document about it : [[debian:phpldapadmin:install|Install phpLDAPadmin]])) and so configure our server on the fly !

Et voilà, this is done ! Start you're ldap server ''/etc/init.d/slapd start'' !

====== Setting up replication ======

===== Install =====

Do as specified in [[debian:ldap