apt-get install slapd ldap-utils ldapvi
By default the server will use cn=config, you can edit it with ldapvi:
ldapvi -Y EXTERNAL -h ldapi:// -b cn=config
To edit the tree as admin:
ldapvi -h ldap://server -D cn=admin,dc=example,dc=com
Disallow anonymous bind:
0 cn=config [...] olcDisallows: bind_anon
Enable TLS with starttls:
0 cn=config [...] olcTLSCertificateFile: /etc/ldap/ssl/fullchain.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/privkey.pem
Force use of TLS
11 olcDatabase={1}mdb,cn=config
[...]
olcSecurity: tls=1
You can now connect with tls with:
ldapvi -ZZ -h ldap://server -D cn=admin,dc=example,dc=com
Disable read access to all by dropping the line olcAccess: {2}to * by * read in olcDatabase={1}mdb,cn=config
Reset replication and copy whole database from a given server (rid)
slapd -d sync -u openldap -g openldap -h ldap://ldap3.example.com -c rid=000,csn=0
slapcat > dump.ldif slapcat -b cn=config > config.ldif