Some basic hints to configure the OpenLDAP server:
You will get a message like "LDAP sizelimit exceeded, not all entries are shown." when you hit the LDAP search limit.
OpenLDAP allows by default 500 return values per search, if you have more users/groups/hosts please change this:
slapd.conf:
e.g. "sizelimit 10000" or "sizelimit -1" for unlimited return values
slapd.d:
e.g. "olcSizeLimit: 10000" or "olcSizeLimit: -1" for unlimited return values in /etc/ldap/slapd.d/cn=config.ldif
There are cases where you do not want that same attribute values exist multiple times in your database. A good example are UID/GID numbers.
OpenLDAP provides the attribute uniqueness overlay for this task.
Example to force unique UID numbers:
In /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif add "olcModuleLoad: {3}unique" (replace "3" with the highest existing number plus one).
Now in /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif add e.g. "olcUniqueURI: ldap:///?uidNumber?sub"
Indices will improve the performance when searching for entries in the LDAP directory. The following indices are recommended:
index objectClass eq |
index default sub |
index uidNumber eq |
index gidNumber eq |
index memberUid eq |
index cn,sn,uid,displayName pres,sub,eq |
# Samba 3.x |
index sambaSID eq |
index sambaPrimaryGroupSID eq |
index sambaDomainName eq |