Static vs. Dynamic Configuration

OpenLDAP can be configured using either a static configuration (slapd.conf) or a dynamic configuration (slapd.d, also known as cn=config). Both way are fine, but there are pros and cons. The primary benefit of slapd.conf is that it is much more concise and easier to edit to make changes. The primary benefit of the cn=config approach is that the configuration can be modified while the service is running.

During early experimentation, setup, and testing it may be easier to work the configuration as a whole (slapd.conf) in its smaller form. As testing procedes and the configuration stabilizes, it can be converted to the cn=config internal database. Changes are then made can either be made via the LDAP line-mode utility programs (or an LDAP browser like the Apache Directory Studio) or slapd.conf. Changes made to cn=conf take effect immediately and without a restart of slapd. Changes made via slapd.conf require a server restart.

Once the configuration is permanently stored in the internal cn=config database, changes made ARE NOT reflected in external copies of slapd.conf. Backups of cn=config must be kept (see this article. If a server has to have its configuration (re)loaded, it is done from a backup of the contents of a recent backup of the data stored in cn=config.

In Multi-Master server clusters, support for replicating cn=config among servers was completed in OpenLDAP 2.5. More information will be provided about relicating cn=config in an upcoming Knowledge Base article.