At this point, we have configured our
slapd.conf file. We are now ready to start our server. There are two different ways to run the SLAPD server: we can either use the init script provided with the distribution, or we can run the
slapd command directly. Each way has its advantages, and we will look at both here.
Using the Init Script
The OpenLDAP packages that are installed with Ubuntu include a startup script that is located, along with other service startup scripts, in the
/etc/init.d/ directory. The scripts in
/etc/init.d/, usually referred to as the init scripts, are used to automatically start and stop services when the system run level changes (when the system boots, halts, or reboots), and by default, OpenLDAP should be configured to start when the server boots, and stop during halts and reboots.
ldap init script provides a convenient way to start, stop, and restart the server. You can start it (if it is not already running) with the Ubuntu
$ sudo invoke-rc.d slapd start
You can use the same script to stop the server. Just change
$ sudo invoke-rc.d slapd stop
Similarly, to restart, use the
restart command instead of
The init scripts set up default parameters and pass in many system options. Some of these are stored in a separate configuration file located at
/etc/default/slapd. For example, by setting the
SLAPD_GROUP variables to a particular system user ID and group ID, you can run SLAPD as a user other than the default.
The OpenLDAP server must start as root, in order to bind to the correct TCP/IP port (389 or 636 by default). Then it will switch and use the user account and group specified in the file located at
Ubuntu creates a special user and group, named
openldap, for running SLAPD. Other distributions run SLAPD as root, which is not a good idea from a security point of view.
Other settings, such as logging settings, can also be made in this configuration file.
Running SLAPD Directly
Sometimes, it is useful to start SLAPD directly from the command line. This may make it easier to see error messages when starting of the server fails, or to test configurations before making any changes to the init script or its configuration files.
To start the SLAPD server directly, simply run the
$ sudo slapd
This will start the SLAPD server in the background.
If you compiled OpenLDAP from source, the
slapd command will be at
/usr/local/libexec/, which is not, by default, in
$PATH. You will have to run the command using the full path:
The server will write its process ID to the location specified in the
pidfile directive in
slapd.conf. In our case, this is
/var/run/slapd/slapd.pid. We can stop the server by using the standard
$ sudo kill `cat /var/run/slapd/slapd.pid`
This command first uses the
cat program to print the contents of the file (which is simply the process ID of
slapd). Note that the
cat command is surrounded by backticks (
`), not single quotes (
'). The backticks tell the shell to treat the statement as a command to be executed. The process ID is then passed to the
kill command, which instructs the process to shut itself down.
In cases where the
slapd.pid file is not available you might find it more expedient to kill the server with this command:
$ sudo kill `pgrep slapd`
Sometimes though, it is more useful to start the command in the foreground, and set debugging information to print out in the terminal window. This can be done quite easily as well:
$ sudo slapd -d config
In the command above we use the
-d flag to print logging information to the shell’s standard output. This means that
slapd will print information to the terminal window. The
-d flag takes one parameter—the debugging level. We have specified
config, which instructs the server to print verbose logging information about the processing of the configuration file.
The output looks something like this:
@(#) $OpenLDAP: slapd 2.3.24 (Jun 16 2006 23:35:48) $ mbutcher@bezer:/home/mbutcher/temp/openldap-2.3.24/servers/slapd reading config file /etc/ldap/slapd.conf line 6 (include /etc/ldap/schema/core.schema) reading config file /etc/ldap/schema/core.schema line 44 (rootdn "cn=Manager,dc=example,dc=com") line 45 (rootpw ***) line 47 (directory /var/lib/ldap) line 48 (index objectClass eq) index objectClass 0x0004 line 49 (index cn eq,sub,pres,approx) index cn 0x071e slapd starting
This can be one other useful way to ferret out configuration issues. The
-d flag will take any of the debugging levels specified in the
slapd.conf man page. I find
acl useful for debugging access problems, and
filter is often useful in figuring out trouble with searches.
-d is specified the program will run in the foreground. To stop the server simply hit CTRL+C. This will stop the server and return you to a shell prompt.
Other useful command line parameters to use with
-g. Each takes one argument:
-u takes a username and
-g takes a groupname. These control the effective UID and GID (user ID and group ID) that SLAPD runs as. Once SLAPD has started and connected to the appropriate ports (which it must do as root), it will switch its UID and GID to the names specified in these parameters.
To get a list of other command line flags that we can use with
slapd, refer to the man page for
You can verify that
slapd is running by checking if
/var/run/slapd/slapd.pid exists, or by running
pgrep slapd, which will display the process ID of
slapd if it’s running. If no process ID number is returned,
slapd is not running.