The Identity Stack, Episode 6
EP01 → … → EP05: Kerberos → EP06 → EP07: LDAP HA → …
Focus Keyphrase: OpenLDAP setup
Search Intent: Navigational
Meta Description: Set up OpenLDAP with the MDB backend, configure it via cn=config (OLC), and wire up SyncRepl replication — a complete walkthrough for running your own directory. (162 chars)
TL;DR
- OpenLDAP’s server process is
slapd— the backend that stores data is MDB (LMDB), a memory-mapped B-tree that replaced the old Berkeley DB backend - Configuration lives in the directory itself:
cn=config(OLC — Online Configuration) lets you modifyslapdat runtime without restarting - SyncRepl is the replication protocol: a consumer subscribes to a provider and stays in sync via either polling (
refreshOnly) or a persistent connection (refreshAndPersist) - Multi-Provider (formerly Multi-Master) lets multiple nodes accept writes — conflict resolution uses CSN (Change Sequence Number), last-writer-wins
- The essential tools:
slapd,ldapadd,ldapmodify,ldapsearch,slapcat,slaptest - Always build indexes on the attributes you search most —
uid,cn,memberOf— or every search is a full scan
The Big Picture: slapd Architecture
ldapsearch / ldapadd / SSSD / any LDAP client
│ TCP 389 / 636
▼
┌─────────────────────────────────┐
│ slapd (OpenLDAP server) │
│ │
│ Frontend (protocol layer) │
│ • parse BER requests │
│ • ACL enforcement │
│ • schema validation │
│ │
│ Backend (storage layer) │
│ • MDB (LMDB) — default │
│ • memory-mapped file I/O │
│ • ACID transactions │
└────────────┬────────────────────┘
│
/var/lib/ldap/
data.mdb (the directory data)
lock.mdb (LMDB lock file)
EP05 showed Kerberos in isolation. OpenLDAP is where you run the identity store that Kerberos references — and where SSSD looks up user and group attributes. This episode builds a working two-node replicated directory from scratch.
Installation
# Ubuntu / Debian
apt-get install -y slapd ldap-utils
# RHEL / Rocky / AlmaLinux
dnf install -y openldap-servers openldap-clients
# After install — Ubuntu runs a configuration wizard
# Skip it: dpkg-reconfigure slapd
# Or answer it and then switch to OLC management
On RHEL-family systems, slapd is not configured after install — you work entirely through OLC from the start.
OLC: The Directory Configures Itself
The old way was slapd.conf — a static file that required a full restart on every change. OLC (Online Configuration) replaced it: slapd‘s own configuration is stored as LDAP entries under cn=config. You modify configuration the same way you modify data — with ldapmodify. Changes take effect immediately.
cn=config ← root config entry
├── cn=schema,cn=config ← schema definitions
│ ├── cn={0}core ← core schema
│ ├── cn={1}cosine ← RFC 1274 attributes
│ └── cn={2}inetorgperson ← inetOrgPerson object class
├── olcDatabase={-1}frontend ← default settings for all databases
├── olcDatabase={0}config ← the config database itself
└── olcDatabase={1}mdb ← your actual directory data
├── olcAccess ← ACLs
├── olcSuffix ← base DN (e.g., dc=corp,dc=com)
└── olcDbIndex ← search indexes
Everything under cn=config has attributes prefixed with olc (OpenLDAP Configuration). You query and modify it just like any other LDAP subtree — with one restriction: only the cn=config admin (usually gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth — the local root via SASL EXTERNAL) can write to it.
Bootstrapping a Directory
The quickest way to get a working directory is a set of LDIF files applied in order.
1. Load schemas
# Apply the schemas OpenLDAP ships with
ldapadd -Y EXTERNAL -H ldapi:/// \
-f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// \
-f /etc/ldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// \
-f /etc/ldap/schema/nis.ldif # adds posixAccount, posixGroup
2. Configure the MDB database
# mdb-config.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=corp,dc=com
-
replace: olcRootDN
olcRootDN: cn=admin,dc=corp,dc=com
-
replace: olcRootPW
olcRootPW: {SSHA}hashed_password_here
Generate the hash: slappasswd -s yourpassword
ldapmodify -Y EXTERNAL -H ldapi:/// -f mdb-config.ldif
3. Add indexes
# indexes.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uid eq,pres
olcDbIndex: cn eq,sub
olcDbIndex: sn eq,sub
olcDbIndex: mail eq
olcDbIndex: memberOf eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
The last two (entryCSN, entryUUID) are required for SyncRepl replication to work efficiently.
4. Load initial data
# base.ldif
dn: dc=corp,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Corp
dc: corp
dn: ou=people,dc=corp,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=corp,dc=com
objectClass: organizationalUnit
ou: groups
dn: uid=vamshi,ou=people,dc=corp,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Vamshi Krishna
sn: Krishna
uid: vamshi
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/vamshi
loginShell: /bin/bash
mail: [email protected]
userPassword: {SSHA}hashed_password_here
ldapadd -x -H ldap://localhost \
-D "cn=admin,dc=corp,dc=com" \
-w adminpassword \
-f base.ldif
ACLs: Who Can Read What
OpenLDAP ACLs are evaluated top-to-bottom; first match wins.
# acls.ldif — set via OLC
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
# Users can change their own passwords
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by * none
# Users can read their own entry
olcAccess: to dn.base="ou=people,dc=corp,dc=com"
by self read
by users read
by * none
# Service accounts can read everything (for SSSD)
olcAccess: to *
by dn="cn=svc-ldap,ou=services,dc=corp,dc=com" read
by self read
by * none
A service account (cn=svc-ldap) that SSSD uses to search the directory needs read access to ou=people and ou=groups. Never give SSSD admin (write) access.
SyncRepl Replication
SyncRepl is a pull-based replication protocol built on the LDAP Sync operation (RFC 4533). A consumer connects to a provider and requests changes. The provider sends them. The consumer stays in sync.
On the Provider: Enable the syncprov overlay
# syncprov.ldif
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 10 # checkpoint every 100 ops or 10 minutes
olcSpSessionLog: 100 # keep last 100 changes for delta-sync
ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
On the Consumer: Configure syncrepl
# consumer-config.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=001
provider=ldap://ldap1.corp.com:389
bindmethod=simple
binddn="cn=repl-svc,dc=corp,dc=com"
credentials=replication-password
searchbase="dc=corp,dc=com"
scope=sub
schemachecking=on
type=refreshAndPersist # persistent connection (vs refreshOnly = polling)
retry="5 5 60 +" # retry: 5 times every 5s, then every 60s forever
interval=00:00:05:00 # (for refreshOnly) sync every 5 minutes
-
add: olcUpdateRef
olcUpdateRef: ldap://ldap1.corp.com # redirect writes to provider
refreshAndPersist keeps a persistent connection open. Changes replicate within milliseconds. refreshOnly polls on an interval — simpler, but adds latency.
Verify Replication
# On provider: check the contextCSN (the sync state token)
ldapsearch -x -H ldap://ldap1.corp.com \
-D "cn=admin,dc=corp,dc=com" -w password \
-b "dc=corp,dc=com" -s base contextCSN
# contextCSN: 20260427010000.000000Z#000000#000#000000
# On consumer: should match after sync
ldapsearch -x -H ldap://ldap2.corp.com \
-D "cn=admin,dc=corp,dc=com" -w password \
-b "dc=corp,dc=com" -s base contextCSN
# Same CSN = in sync
Multi-Provider: Accepting Writes on Both Nodes
Standard SyncRepl has one provider and one or more consumers — only the provider accepts writes. Multi-Provider (formerly Multi-Master) lets every node accept writes.
# On each node — add mirrormode to the database config
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcMirrorMode
olcMirrorMode: TRUE
With mirrormode enabled and each node configured as both provider and consumer of the other, writes on either node replicate to the other. Conflict resolution is CSN-based (Change Sequence Number) — a monotonically increasing timestamp. Last write wins at the attribute level.
Multi-Provider does not prevent split-brain conflicts — if two clients write the same attribute on two different nodes during a network partition, the higher CSN wins when the partition heals. For most directory use cases (user passwords, group memberships), this is acceptable. For others, it requires careful thought.
⚠ Production Gotchas
MDB data file grows monotonically. LMDB never shrinks the data file automatically. Deleted entries leave free space inside the file that gets reused, but the file on disk doesn’t shrink. Use slapcat to export and slapadd to reimport if you need to reclaim disk space.
slapcat is the only safe backup. slapcat reads the MDB database directly and exports LDIF — it does not go through slapd. Run it while slapd is running (LMDB is MVCC-safe for readers), but never copy the raw MDB files while slapd is running.
Schema changes on a replicated directory require coordination. Load the new schema on the provider first. SyncRepl will propagate it to consumers — but if a consumer gets a new entry using the new schema before the schema itself is replicated, the import will fail. Load schemas manually on all nodes before adding entries that use them.
Key Takeaways
- OpenLDAP uses LMDB (MDB backend) — a memory-mapped, ACID-compliant storage engine with no external dependency
- OLC (
cn=config) is the right way to configureslapd— changes apply without restarts - SyncRepl pulls changes from a provider to a consumer —
refreshAndPersistfor near-real-time,refreshOnlyfor poll-based - Always index
uid,cn,entryCSN, andentryUUID— unindexed searches are full scans - Multi-Provider allows writes on all nodes with CSN-based last-write-wins conflict resolution
What’s Next
A single OpenLDAP server works. Two nodes with SyncRepl work better. EP07 goes further: how you put multiple LDAP servers behind a load balancer, how connection pooling works, what to monitor, and how 389-DS handles directories with tens of millions of entries.
Next: LDAP High Availability: Load Balancing and Production Architecture
Get EP07 in your inbox when it publishes → linuxcent.com/subscribe