OpenLDAP Server Command Reference
QuickLinks: slapcat, slapadd, slapmodify, slaptest, slapindex, slapacl, slappasswd, slapdn, slapschema, mdb_copy
This reference covers the commonly used OpenLDAP administrative server (slap*) commands with their most frequently used options.
Common slap* command options
These are the most common options for slap* commands and will be referred to as <conf> in examle commands.
| Option | Description |
|---|---|
| -f file | -F directory | Provides the location of the slapd configuration. Static config (slapd.conf) uses -f, dynamic config uses -F |
slapcat
Syntax:
slapat <conf> (-b <baseDN> | -n <dbNum>) [-l <outfile.ldif>] [-o ldif-wrap=no]
Online Use: ✅
The slapcat command is used to export a DIT in LDIF format and is used for exporting and backing up directories. The slapcat command is the safest and fastest method for database exports and backups. Using ldapsearch for exports and backups may exclude critical operational attributes.
| Option | Description |
|---|---|
| -b <suffix> | -n <DB Num> | Specifies either the database suffix or database number to operate upon |
| -l <filename>.ldif | Specify the file to write the output. If not specified, output goes to STDOUT |
| -o ldif-wrap=no | Disables wrapping of long attribute values |
# Export a database using the suffix to an LDIF file:
slapcat <conf> -b dc=example,dc=com -l mybackup.ldif
# Export the cn=config database using the DB number (cn=config is always 0) and disable line wrapping
slapcat <conf> -n0 -o ldif-wrap=no -l config-backup.ldif
# Export a database and pipe through gzip to comress the content and write to file
slapcat <conf> -b dc=example,dc=comm | gzip > backup.ldif.gzslapadd
Online Use: ⛔️
Syntax:
slapadd <conf> (-b <baseDN> | -n <dbNum>) [-l <input-file.ldif>][-q][-w][-S <serverIdNum>]
The slapadd command is an offline-only tool for creating/restoring databases using an LDIF file for input. It should NEVER be run while slapd is running.
It is recommended that slapadd is not used to add new entries to an existing database, even if slapd is offline. Use ldapadd instead; this ensures that entries are passed through all overlays and modules before being written.
| Option | Description |
|---|---|
| -q | Enables quick operation. Uses fewer integrity checks. Use with known good data |
| -u | Dry run, does not write to database |
| -o schema-check={yes|no} | Enable/disable schema checking |
| -o value-check={yes|no} | Enable/disable value checking |
| -w | Write contextCSN value at end of load. Use ONLY when loading the first node in a cluster |
| -S <n> | Use <n> as the serverId in entryCSNs |
| -c | Continue loading if an error occurs (never use this with a production load) |
These examples assume that the database is completely empty and the current working directory is /opt/symas/etc/openldap:
# Load a database with a known good LDIF file:
slapadd -f slapd.conf -b dc=example,dc=com -l database.ldif -q
# Load the first database with serverId 1 in an empty replication cluster:
slapadd -F slapd.d -b dc=example,dc=com -l database.ldif -q -w -S1
# Verify, but do not save data in an ldif, continue on errors and write error info to a log file.
# This is useful when migrating data from a different directory server.
# Using 'tee' will show the results in the terminal and write to a log file.
slapadd -f slapd.conf -b dc=example,dc=com -l database.ldif -c \
-o schema-check=yes -o value-check=yes 2>&2 | tee validation.logslapmodify
Online Use: ⛔️
Syntax:
slapmodify <conf> (-b <baseDN> | -n <dbNum>) [-l <input-file.ldif>][-q]
The slapmodify command is used to modify entries when the datbase is offline. The command uses the same changetype LDIF files as the ldapmodify command.
Note: The slapmodify command is the most useful when modifying the cn=config database. Using it on general entries (non-cn=config) may bypass uniqueness constraints, format constraints or modifications performed by overlays (probably.)
| Option | Description |
|---|---|
| -q | Enables quick operation. Uses fewer integrity checks. Use with known good data |
| -u | Dry run, does not write to database |
| -o schema-check={yes|no} | Enable/disable schema checking |
| -o value-check={yes|no} | Enable/disable value checking |
| -w | Write contextCSN value at end of modification. |
| -S <n> | Use <n> as the serverId in entryCSN |
| -c | Continue loading if an error occurs (never use this with a production load) |
Modification LDIFs
ldapmodify uses “changetype” LDIF input. All entry modifications will have a changetype of “modify” and action specifiers for the attribute being changed.
Multiple attributes may be modified in one modify operation. Simply put a single line with the “-” character between each action.
Modifications are atomic, so if any part of a modification fails, the entire modification is discarded unless there are multiple entries being modified and the continue (-c) Option is used.
Adding Attributes
Example adding two attributes, one with multiple values to an entry:
dn: cn=jthomas,ou=people,o=company
changetype: modify
add: telephoneNumber
telephoneNumber: +1 213 867 5309
-
add: description
description: This is a description
description: This is another description
Replacing Attributes
Note: When replacing multivalued attributes and a specific value is to be replaced, the specific value must be deleted and then the new value must be added. If replace is used on an attribute with more than one value, all values will be deleted and the new value will be saved. Examples:
# Replace an attribute with a single value:
dn: cn=jthomas,ou=people,o=company
changetype: modify
replace: telephoneNumber
telephoneNumber: +65 223 867 5309
# Replace a specific value in an attribute with multiple values:
dn: cn=jthomas,ou=people,o=company
changetype: modify
delete: description
description: This is the a description
-
add: description
description: This is the replaced description
Deleting attributes
Note: When deleting multivalued attributes and a specific value is to be deleted, the value must be specified in the delete action. If delete is used on an attribute with more than one value and a value isn’t specified, all values will be deleted. Examples:
# Delete all description attributes in an entry:
dn: cn=jthomas,ou=people,o=company
changetype: modify
delete: description
# Delete a specific value in an attribute with multiple values:
dn: cn=jthomas,ou=people,o=company
changetype: modify
delete: description
description: This is the replaced description
Renaming/Removing entries
Renaming and removing (modrdn) is not supported with slapmodify. Use ldapmodify instead.
Incrementing Attributes
Integer-type attributes may be incremented with the incremente action. This is a useful feature for keeping track of sequential ID numbers. Example:
# Increment an attribute by one
dn: cn=uidNext,o=company
changetype: modify
increment: uidNext
uidNext: 1
# Increment an attribute by five
dn: cn=uidNext,o=company
changetype: modify
increment: uidNext
uidNext: 5
Examples
# Perform slapmodify to change an entry in a database using an input LDIF in file form:
slapmodify <conf> -l change.ldif
# Perform slapmodify to change an entry reading LDIF information from STDIN:
slapmodify <conf> <<< '
dn: cn=bob,ou=people,o=company
changetype: modify
replace: givenName
givenName: Oscar'slaptest
Online Use: ✅
Syntax:
slaptest {-f slapd.conf | -F slapd.d}
The slaptest command is used for confirming the validity of a slapd configuration file or directory. It may also be used to convert a static slapd configuration file (slapd.conf) to dynamic configuration (cn=config).
| Option | Description |
|---|---|
| -f slapd.conf | -F slapd.d | The configuration file or directory to test |
| -u | Perform a dry-run, which skips checking for the presence of an actual database |
| -v | Verbose mode |
| -Q | Quiet mode. Returns 0 for success, any other number for failure |
# Test the validity of a slapd.conf file, ignoring missing databases
slaptest -f slapd.conf -u
# Convert static configuration to dynamic configuration
mkdir slapd.d
slaptest -f slapd.conf -F slapd.dslapindex
Online Use: ✅
Syntax:
slapindex <config> -b <suffix> [-q] [attributes]
The slapindex command is used to create attribute indexes on existing attribute values in a backend database after an attribute index is declared in the slapd.configuration.
| Option | Description |
|---|---|
| -f slapd.conf | -F slapd.d | The configuration file or directory to use |
| -b <suffix> | The suffix of the database to perform the indexing on |
| -q | Quick mode; performs fewer integrity checks but errors may cause database consistency issues |
| -t | Truncate mode. Truncates an index database before indexing any entries (LMDB backends only) |
# Index an entire database
slapindex -f slapd.conf -q -b o=company
# Index the givenName attribute only
slapindex -F slapd.d -q -b o=company givenNameslapacl
Online Use: ✅
Syntax:
slapacl <config> -b <baseDN> -D <authcDN> [attr[/access]]
The slapacl command is used for testing user access to entries and/or attributes according to their ACL permissions.
| Option | Description |
|---|---|
| -f <slapd.conf> | -F <slapd.d> | The configuration file or directory to use |
| -b DN | The entry to test access to |
| -D <authcID> | The entry to test access for |
| attr/access | An attribute and optional access level to test |
# Test for read access for the given name attribute for a user by a user
slapacl <conf> -b cn=roger,ou=people,o=company -D cn=mary,ou=people,o=company givenName/read
# Test write access for two attributes
slapacl <conf> -b cn=roger,ou=people,o=company -D cn=mary,ou=people,o=company givenName/write sn/write
# Show access levels for all attributes in an entry
slapacl <conf> -b cn=roger,ou=people,o=company -D cn=mary,ou=people,o=companyslappasswd
Online Use: ✅
The slappasswd command is used to hash password values for storage in an OpenLDAP database or slapd configuration. Most commonly it is used to hash the rootpw|olcRootPw attribute in the slapd configuration. Password updates for regular directory entries should be performed using the ldappasswd command to ensure any password policy in place is respected.
Note: Hashed passwords cannot be used with the ‘credentials=’ parameter in syncrepl configuration stanzas; the password must be in plaintext. To eliminate the use of plaintext passwords, configure syncrepl to use certificate-based authentication.
Syntax
slappasswd [-h <scheme>][-o module-path=<path to slapd modules> -o module-load=<module-name>][-s <secret>|-T <file>][-n]
If the ‘-s’ or ‘-T’ option is not specified, the user is prompted for the password.
Hashing Schemes
OpenLDAP itself has a limited number hashing schemes available. Other hashing schemes are available from loadable slapd modules:
| Module | Man Page | Schemes |
|---|---|---|
| slapd (default) | slapd.conf | {SHA}, {SSHA}, {MD5}, {SMD5}, {CRYPT}, {PLAINTEXT} |
| pw-pbkdf2.la | slapd-pw-pbkdf2 | {PBKDF2}, {PBKDF2-SHA1}, {PBKDF2-SHA256}, {PBKDF2-SHA512} |
| pw-sha2.la | slapd-pw-sha2 | {SHA256}, {SSHA256} ,{SHA384},{SSHA384}, {SHA512}, {SSHA512} |
| argon2.la | slappw-argon2 | {ARGON} |
| smbk5pwd.la | slapo-smbk5pwd | {KSKEY} |
Command Parameters
| Option | Description |
|---|---|
| -h <scheme> | The password hashing scheme. {SSHA} is the default |
| -s <secret> | The password to hash. Caution: Using “-s” will store the clear text password in the command shell history |
| -T <file> | A file containing the password to hash |
| -o module-path= |
The path to the directory the password modules are located |
| -o module-load= |
The module file to use |
| -n | Omit trailing newline from output |
Usage
# Hash a password with the default scheme, reading fromn a file
slappasswd -T passfile.txt
# Hash a password using the SSHA512 scheme
slappasswd -h "{SSHA512}" -o module-path="/opt/symas/lib/openldap" -o module-load="pw-sha2.la"slapdn
Online Use: ✅
Syntax:
slapdn <conf> [-N] [-P] [-v]
The slapdn command checks the conformance of a DN
| Option | Description |
|---|---|
| -f <slapd.conf> | -F <slapd.d> | The configuration file or directory to use |
| -P | Returns a prettified DN |
| -N | Returns a normailized DN |
| -v | Return both a prettified and normalized DN |
# Check the conformance of a DN
slapdn -F slapd.d -v "ou=accounting,dc=example,dc=com"
DN: <ou=accounting,dc=example,dc=com> check succeeded
normalized: <ou=accounting,dc=example,dc=com>
pretty: <ou=accounting,dc=example,dc=com>slapschema
Online Use: ✅
Syntax:
slapschema <conf> -b <suffix> [-l <error-file>] [-H <URI>]
The slapchema command checks the compliance of of the contents of a database with the currently configured schema for the database.
| Option | Description |
|---|---|
| -f <slapd.conf> | -F <slapd.d> | The configuration file or directory of the database |
| -b <suffix> | -n <number> | The suffix or number of the database to check values |
| -l <error-file> | A file to write errors to, instead of printing to STDOUT |
| -H <URI> | An LDAP search URI to refine the entries/values to check |
# Check the schema compliance of the contents of the dc=example,dc=com suffix
slapschema <conf> -b dc=example,dc=com -l schema-errors.txt
# Check the schema compliance of only organizationalUnit entries in dc=example,dc=com
slapschema -F slapd.d -H "ldap:///dc=example,dc=com??one?(objectClass=organizationalUnit)"mdb_copy
Online Use: ✅
Syntax:
mdb_copy [-c] <source_dir> [<dest_dir>]
The mdb_copy command makes a copy of an LMDB database in its binary form and optionally performs compaction of the database. It is used primarily for quickly restoring an OpenLDAP database without using the slapadd utility. LMDB databases are sparse files, so space is preallocated accoring to the maxsize|olcDbMaxSize setting. If the ‘-c’ options is used, any allocated but unused database space is discarded during the copy, thereby drastically reducing the size of the database copy. The resulting output of mdb_copy is a file named “data.mdb”.
If no destination directory is specified, the database copy is printed to STDOUT.
# Create a destination directory and make a copy of an existing LMDB database
mkdir ./copy-dir
mdb_copy -c /var/symas/openldap-data/example ./copy-dir
# Copy a database with compression and compress the output
mdb_copy -c /var/symas/openldap-data/example | gzip > data.mdb.gz