S 4.385 Configuration of the database used by OpenLDAP

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

In OpenLDAP, settings for the actually used database management system (DBMS) can be made using configuration directives. The settings can only be made for the BerkeleyDB using the "back-bdb" or "back-hdb" backends. They do not have a direct impact on the function and operation of OpenLDAP, but have major effects on the performance of the directory service. In the following, only security-relevant settings and frequent sources of error are listed. For other settings, a database specialist should be consulted if necessary. For example, advantages in terms of higher performance at the expense of optimum integrity result from the temporary storage and transaction log settings, which must be weighed up carefully on a case-by-case basis.

• dbDirectory or olcDbDirectory
  
  Using this directive, the storage location for database files in the IT system, on which the slapd server is run, can be defined. The user ID, in whose context OpenLDAP is run, must have write privileges to the mentioned directory.
• dbConfig or olcDbConfig
  
  The settings made in this directive are specific to the database and are entered in the "DB_CONFIG" file of the DBMS. If such a file does not exist yet, it is created when using this directive. It must be noted that subsequent changes to the target file itself, for example using a text editor, overwrite the settings selected in this directive. Thus, it must be specified how and by whom settings are made to which aspects. Changes to the directive always force a restart of the DBMS, but not of the slapd server. Depending on the size and settings of the database, this might take a longer period of time in which the directory service is not available. Changes to the database configuration should therefore be planned with due care and, wherever possible, implemented in maintenance windows, for example at night or at the weekend.
• dbIndex or olcDbIndex
  
  Using this directive, attributes of directory service objects can be specified, for which an index is to be created. Without an index, all objects must be called up and checked during the search. To improve availability, frequent searches should thus be supported by an index. Missing but desirable indexes can be identified from the OpenLDAP logs (see S 4.407 Logging when using OpenLDAP). If the information that the access to a specific attribute index failed is often displayed there, a corresponding index should be set up. The indexes stated in the directive are generated automatically by the slapd server. If the slapd server is stopped during the indexing procedure, then indexing is not continued automatically. In this case, it must be carried out using the "slapindex" tool.
• dbMode or olcDbMode
  
  Using this directive, the user rights applying to newly created database files are defined. The default setting 0600 or -rw------- grants only the user ID access in whose context the slapd server is run. This default setting is useful and should not be changed.

Review questions:

• Are the access rights for newly created database files limited to the user ID in whose context the slapd server is run?