Home / server / Questions / 262137
Accepted
Rich
Asked: 2011-04-22 04:42:30 +0800 CST

Multiple rootdn on one ldap server

  • 772

I have an OpenLDAP server with the following in its configuration file:

suffix          "o=a.b.priv"
rootdn          "cn=Manager,o=a.b.priv"

I am setting up a new project which will make use of the following:

suffix          "o=c.b.priv"
rootdn          "cn=Manager,o=c.b.priv"

Is it possible for these two to coexist on the same OpenLDAP server instance?

I am guessing it is not possible and that my options will be

  • set up a second instance listening on a different port on the same box
  • 'refactor' the existing data (is that even possible? I'm new to LDAP) so that the root is b.priv and the rootdn is cn=Manager,o=b.priv with children of o=a.b.priv and o=c.b.priv

Is there another option?

openldap

3 Answers

  1. You can create multiple, separate databases with OpenLDAP. You'll find details in the documentation.

    Setting up a second instance on a nonstandard port is not a good idea, IMHO, as you have to be careful to specify the correct port wherever you use this instance.

    • 1
  2. Best Answer

    Multiple DITs do appear to be possible. Take a look at this documentation and example. As for the prudence in doing so, I can't speak to your requirements. Completely understanding the documentation before pursuing does seem wise. Perhaps an OpenLDAP specific group could help you assess your idea. But be warned, they can be testy if you have not done your homework.

    \\Greg

    • 1

  3. I'm quite new to LDAP too, but I was able to do this, so I report the operations I've done, hoping they could be useful.

    I've found this information in a mailing list reply.

    I needed to work as root user.

    First use the command

    slapcat -n0

    to show the LDAP configuration.

    You should see something like this:

    dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: <your old root DN>
...

    Go to /var/lib/ldap and create a subfolder for your new tree. Ensure that this folder has 755 permission and appropriate owner and group (in my case it must be openldap openldap).

    Create a LDIF file in this way:

    dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/<NEWDIR>
olcSuffix: <new root DN>
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
 s auth by dn="cn=Manager,<new root DN>" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=<new root DN>" write by * read
olcLastMod: TRUE
olcRootDN: cn=Manager,<new root DN>
olcRootPW: <manager password>

    Then call

    ldapadd -Y EXTERNAL -H ldapi:/// -f <your-ldif-file>

    and you should have added a new root.

    • 1