LDAP configuration for slapd-sock / slapo-sock / back-sock

Question

Current system: CentOS 7.9, OpenLDAP 2.4

I would like to implement a "hook" into my LDAP operations so that when an ldapadd or ldapmodify operation takes place, a script is run in addition to the normal database operations. From my web searches, it appears that LDAP has a "socket overlay" mechanism that I've seen referred to as slapd-sock, slapo-sock, and back-sock. (Are all these the same thing, or have I missed an important difference?)

Here's a sample configuration from an old thread question of lines that are intended to be added to slapd.conf:

overlay sock
extensions binddn peername ssf connid
socketpath sockoverlay-listener
sockops modify add

All of the examples and man pages I've found so far show configuration lines to be added to slapd.conf. However, I've also seen that slapd.conf is on its way out as a means of controlling LDAP. I'd like to set something up with some stability, especially since I know I'll be upgrading to AlmaLinux 9.1 and OpenLDAP 2.6 before the end of the year.

My question is: How do I specify the above options within an LDIF file? Note that I'm not asking how to use the ldapmodify command. I'm asking how, from the above slapd.conf configuration, do I derive the appropriate cn, objectClass, and attributes to put into the LDIF file to enable back-sock (or whatever it's called)?

I know this is possible, since the OpenLDAP release notes indicate fixes that have been to controlling socket overlays from cn=config, but I can't find any examples of how to do it.

Answer 1

I found the answer to my question, or rather, I found out how to find out the answer to my question.

The key to learning the LDAP cn=config cn, objectClass, and attributes for any given slapd.conf configuration is to create a dummy slapd.conf file, then use slaptest.

In my case, I created a slap-mod.conf:

include         /etc/openldap/schema/core.schema
database  hdb
suffix "dc=myoffice,dc=mycompany,dc=org"
rootdn "cn=Manager,dc=myoffice,dc=mycompany,dc=org"

modulepath /usr/lib64/openldap
moduleload back_sock.la

overlay sock
extensions binddn peername ssf connid
socketpath sockoverlay-listener
sockops modify add

I need to have just enough of a database definition for slaptest not to complain.

Then I ran

mkdir -p /tmp/slapd
slaptest -u -f slapd-mod.conf -F /tmp/slapd

When I looked at the /tmp/slapd/cn=config/ directory, I saw the statements I needed. I haven't tried it yet, but it appears I need two LDIF files, After stripping out the usual {0} from slaptest, and adding a couple of tweaks to the dn:

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: back_sock.la

dn: olcOverlay=sock,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcOvSocketConfig
olcOverlay: sock
olcDbSocketPath: sockoverlay-listener
olcDbSocketExtensions: binddn
olcDbSocketExtensions: peername
olcDbSocketExtensions: ssf
olcDbSocketExtensions: connid
olcOvSocketOps: modify
olcOvSocketOps: add

Edit

After I figured it out and tried the above, I wound up "bricking" my LDAP server: it would no longer accept modify commands. Obviously this had to do with my not actually providing a backend script yet.

However, it turns out that while it's easy to add a line like dn: olcOverlay=sock,olcDatabase={2}hdb,cn=config, I couldn't delete it; whether this was due to the back-sock configuration or something else I can't say. I had to restore the entire LDAP configuration and database from backup.

Lesson learned: Just because you can do something via cn=config doesn't mean you should do something via cn=config. I would have been better off sticking to slapd.conf (assuming that file still works in CentOS7/OpenLDAP2.4) so configuration changes would be easy to back out.

How this will work when slapd.conf is finally, completely obsoleted is anyone's guess.