Utilizing the LDAPI Socket Configuring CN=Config

First, add access to the ldapi:/// (ldap protocol over domain socket) socket by editing symas-openldap.conf.

    vi /opt/symas/etc/openldap/symas-openldap.conf 
    
    Add the following lines before the first database definition: 
    
    HOSTLIST="ldap:/// ldapi:///"

Next, set the rootdn and rootpw (password) for the config database by editing slapd.conf.

    vi /opt/symas/etc/openldap/slapd.conf 
    
    Add the following lines before the first database definition: 

    database config
    rootdn "cn=config"
    rootpw config

(password can be hashed)

NOTE: Credentials may be used for remote access and command line operations. The following authz-regexp permits commands via ldapi:///. The following should all be on one line in the global section of slapd.conf.

    authz-regexp
    gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth cn=config

Explanation:

gidNumber/uidNumber 0 indicate “root” user only, but can be modified for other user/group accounts cn=config specifies database

NOTE: Used for internal command line operations only

Next, for utilizing the ldapi:/// socket add the following to ~/.ldaprc:

    vi ~/.ldaprc
    SASL_MECH EXTERNAL
    URI ldapi:///

Finally, start or restart solserver

    sudo service solserver restart

NOTE: With authz-regexp configured commands have a much simpler syntax. Compare the following command without the authz-regexp configured command to that with authz configured.

    ldapmodify -x -H ldap://<ldap server fqdn> -D cn=config -w
    <password> DN: cn=module{0},cn=config 
    changetype: modify
    replace: olcModulePath
    olcModulePath: /<full>/<path>/<to>/<modules> Versus

    ldapmodify      
    DN: cn=module{0},cn=config 
    changetype: modify
    replace: olcModulePath
    olcModulePath: /<full>/<path>/<to>/<modules>