OpenLDAP Configure Multiple DITs

Each DIT is described by a database section in the slapd.conf file. By defining multiple database sections multiple DITs are defined. Each DIT is discrete and has its own naming-context (or name space). Assume we want to create the following structure in a single LDAP server:

slapd.conf

#
###### MULTIPLE DITs ############
#
# NOTES: inetorgperson picks up attributes and objectclasses
#        from all three schemas
include		/usr/local/etc/openldap/schema/core.schema
include		/usr/local/etc/openldap/schema/cosine.schema
include		/usr/local/etc/openldap/schema/inetorgperson.schema


# NO SECURITY - no access clause
# defaults to anonymous access for read
# only rootdn can write

# NO REFERRALS

# DON'T bother with ARGS file unless you feel strongly
# slapd scripts stop scripts need this to work
pidfile /var/run/slapd.pid

# enable a lot of logging - we might need it
# but generates huge logs
loglevel 	-1 

# NO dynamic backend modules

# NO TLS-enabled connections

# backend definition not required

#######################################################################
# FIRST bdb database definitions
# for EXAMPLE.COM
# replace example and com below with a suitable domain
# 
# If you don't have a domain you can leave it since example.com
# is reserved for experimentation or change them to my and inc
#
#######################################################################

database bdb
suffix "dc=example, dc=com"

# root or superuser
rootdn "cn=jimbob, dc=example, dc=com"
rootpw dirtysecret
# The database directory MUST exist prior to running slapd AND 
# change path as necessary
directory	/var/db/openldap/example-com

# Indices to maintain for this directory
# unique id so equality match only
index	uid	eq
# allows general searching on commonname, givenname and email
index	cn,gn,mail eq,sub
# allows multiple variants on surname searching
index sn eq,sub,subintial,subany,subfinal
# optimise department searches
index ou eq
# shows use of default index parameter
index default eq,sub
# indices missing - uses default eq,sub
index telephonenumber

# other database parameters
# read more in sladp.conf reference section
cachesize 10000
checkpoint 128 15
dbnosync
dirtyread
searchstack 5

#######################################################################
# SECOND bdb database definitions
# for EXAMPLE.NET
# replace example and net below with a suitable domain
# 
# If you don't have a domain you can leave it since example.com
# is reserved for experimentation or change them to my and inc
#
#######################################################################

database bdb
suffix "dc=example, dc=net"

# root or superuser
rootdn "cn=jimbob, dc=example, dc=net"
rootpw dirtysecret
# The database directory MUST exist prior to running slapd AND 
# change path as necessary - separate directory from
# FIRST section
directory	/var/db/openldap/example-net

# Indices to maintain for this directory
# unique id so equality match only
index	uid	eq
# optimise department searches
index ou eq
# shows use of default index parameter
index default eq,sub
# indices missing - uses default eq,sub
index telephonenumber

# other database parameters
# read more in sladp.conf reference section
cachesize 10000
checkpoint 128 15
dbnosync
dirtyread
searchstack 5

Obviously you need to stop and start the LDAP server to pick up this new file. Then run an LDIF as shown below using ldapadd.

LDIF

This LDIF assumes that EXAMPLE.COM already exists - we are simply adding EXAMPLE.NET.

# add example.net to an existing LDAP server
version: 1

dn: dc=example,dc=net
dc: example
description: Example Network Operations
objectClass: dcObject
objectClass: organization
o: Example, Inc.

dn: ou=people, dc=example,dc=net
ou: people
description: All people in organisation
objectClass: organizationalUnit

This LDIF assumes that we are adding both EXAMPLE.COM and EXAMPLE.NET.

# add both example.com and example.net

# FIRST add example.com
version: 1

dn: dc=example,dc=com
dc: example
description: Example Company
objectClass: dcObject
objectClass: organization
o: Example, Inc.

dn: ou=people, dc=example,dc=com
ou: people
description: All people in organisation
objectClass: organizationalUnit

# SECOND add example.net
version: 1

dn: dc=example,dc=net
dc: example
description: Example Network Operations
objectClass: dcObject
objectClass: organization
o: Example, Inc.

dn: ou=people, dc=example,dc=net
ou: people
description: All people in organisation
objectClass: organizationalUnit

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.