OpenLDAP - Modifying cn=config attribute

May 06, 2025

OpenLDAP - Modifying cn=config attribute

You could modify the cn=config attribute with the following steps

1) Log in as root

2) Create a ldif file (e.g ldap_log_level.ldif ) with the following entry. For example, I am adding olcLogLevel to any

dn: cn=config
changetype: modify
add: olcLoglevel
olcLogLevel: any

2) Then run

ldapmodify -H ldapi:/// -Y EXTERNAL -f ~/ldap_log_level.ldif

-H Specify URI(s) referring to the ldap server(s)

-Y Specify the SASL mechanism to be used for authentication

-f file

LDAPI is an Abbreviation of Using LDAP over IPC Mechanisms. UNIX-domain socket.

EXTERNAL is use EXTERNAL mechanism for SASL. If log in as root, this will authenticate the root user to read and make changes to ldap configuration. This is most commonly use to modify cn=config root entry

Example output

$ ldapmodify -H ldapi:/// -Y EXTERNAL -f ~/ldap_log_level.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

3) You could verify the addition with

cat /etc/openldap/slapd.d/cn=config.ldif

To delete an attribute, you can update the ldif file as

dn: cn=config
changetype: modify
delete: olcLoglevel

and run this command

ldapmodify -H ldapi:/// -Y EXTERNAL -f ~/ldap_log_level.ldif

Search This Blog

Thompson's Technological Insight

OpenLDAP - Modifying cn=config attribute

Comments

Post a Comment

Popular Posts

MP4 File Format Part 1

Wireshark - How to find Connection Timeout TCP packets?