OpenLDAP version 2.3 introduced a special DIT called cn=config that can be used to replace the slapd.conf file.

Release Note


slapd.conf has certain drawbacks: adding schema files creating new databases requires editing slapd.conf. Future version of openldap will drop support of slapd.conf.

cn=config enables programatic access to slapd configuration, such as loading additional schemas.

Use Cases

  • Chris install the slapd package and can use the new cn=config tree to manage his LDAP tree using standard LDAP command tools.
  • Don upgrades his LDAP directory and can use LDAP queries and updates to change the ACLs of object in the directory.
  • Erwan installs an application that uses an ldap schema. After installing, the new features are automatically available in the LDAP directory.


The new configuration backend in explained in the OpenLDAP administrator Guide:


cn=config migration

update common functions in slapd.scripts-common to support cn=config

slapd.scripts-common has functions that scan and extract information from slapd.conf. These functions should be modified to support cn=config as a backend (instead of slapd.conf).

slapd.scripts-common will also be shipped as part of the slapd package and standalone script to perform standard directory configuration actions will be built on them. These scripts can then be used by other packages or people to load schemas, modules, overlays or any other common configuration modification.

new installation

new installation will enable cn=config by default. slapd.scripts-common functions responsible for generating a new configuration will have to be updated to create slapd.d/ and set the correct option in cn=config.


On upgrade, the postinst script will try convert slapd.conf to cn=config:

  1. Enable the config database using rootdn="cn=admin,cn=config". The password will either be extracted from the existing database or the user will be prompted to enter a new one.
  2. Convert slapd.conf using slapd -f and -F options.
  3. Rename the old slapd.conf to slapd.conf.bak and update /etc/default/slapd to use the new cn=config backend.

Chapter 6: OpenLDAP using cn=config - Converting to use cn=config

rootdn password handling for cn=config

The main advantage to migrate to the cn=config backend is to be able to modify the slapd configuration dynamically using ldap{modify,add} utilities and ldif files. In order to be able to access the cn=config tree, the ldap* commands have to be authenticated and authorized by slapd.

cn=config needs to have a rootdn and a rootpw set. The following rootdn will be used by default : cn=admin,cn=config. The corresponding rootpw will be asked on upgrade. New installation will use the same rootpw as the one asked during the installation of the first database.

The slap* utilities ask the rootdn password whenever they need to make a change to the slapd configuration.

Here is an overview of the upgrade logic:


Outstanding Issues

BoF agenda and discussion


OpenLdapCnConfigMigration (last edited 2008-08-06 16:36:04 by localhost)