Since 2.3, OpenLDAP uses a configuration engine called slapd-config. They said that use it make all LDAP configuration can be changed on fly.
This is the header of /etc/ldap/slapd.d/cn=config.ldif:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
I've changed data in it and some other files which have that header, after restarting slapd, my changes took effects.
Is there anything else happen if I change those files manually? If I don't need 'change on fly', should I edit those file manually instead of using ldapmodify? Which application generated those files, and when?
NOTE: I'm using openldap-2.4.28 on Ubuntu 12.04
If you change the LDIF files in cn=config manually, their contents and checksums won't match, which is not fatal, but is annoying when using tools such as slapcat.
Modifying cn=config the proper way with ldapmodify is very painful, and you'll end up accumulating tons of carefully hand-crafted, single-purpose, disposable LDIF files. Compared to just editing slapd.conf it's a nightmare. Regardless, if you need to make runtime configuration changes, ldapmodify is your only option. However, if you can afford some downtime, you have two other poisons to choose from.
First, there's the highly unsupported but quick and dirty method which works fine for initial OpenLDAP configuration if you know what you're doing:
If slapd starts, it should work ok, but it's always a good idea to tail /var/log/syslog when starting the service:
You can fix the checksum errors using slapcat and slapadd as described below.
Second, there's a less unsupported method which involves use of slapcat and slapadd (modified from these instructions):
If slapadd succeeds without errors, you can migrate to the modified slapd.d directory. According to this thread slapadd only adds data, so overwriting the original slapd.d directory contents is not possible. Therefore we need to move the directories around a bit:
These two more or less unsupported methods make living with cn=config slightly more bearable.
When you see a file that says
you would do well to follow the instructions for how to properly change the contents of that file.
In this case, that means updating the OpenLDAP configuration by using the
ldapmodifycommand in accordance with the OpenLDAP manual.This allows you to apply changes to the OpenLDAP configuration on the fly, and will regenerate the
slapd.conffile (used when starting the LDAP server as a bootstrap configuration)In general, failure to follow instructions (like "DON'T EDIT THIS FILE BECAUSE IT'S AUTO-GENERATED!") will lead to pain and suffering.
In this particular case you may find that your changes to the file get been wiped out the next time someone does things The Right Way, and you will have to reconstruct your configuration (likely with no record of it, since the file you edited will be replaced).
The next time you fail to heed a warning like this you could render a system unbootable, or worse.