Appendix C. Typical OpenLDAP settings

Some basic hints to configure the OpenLDAP server:

Size limit:

You will get a message like "LDAP sizelimit exceeded, not all entries are shown." when you hit the LDAP search limit.

OpenLDAP allows by default 500 return values per search, if you have more users/groups/hosts please change this:


e.g. "sizelimit 10000" or "sizelimit -1" for unlimited return values


e.g. "olcSizeLimit: 10000" or "olcSizeLimit: -1" for unlimited return values in /etc/ldap/slapd.d/cn=config.ldif

Unique attributes:

There are cases where you do not want that same attribute values exist multiple times in your database. A good example are UID/GID numbers.

OpenLDAP provides the attribute uniqueness overlay for this task.

Example to force unique UID numbers:

In /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif add "olcModuleLoad: {3}unique" (replace "3" with the highest existing number plus one).

Now in /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif add e.g. "olcUniqueURI: ldap:///?uidNumber?sub"


Indices will improve the performance when searching for entries in the LDAP directory. The following indices are recommended:

index objectClass eq
index default sub
index uidNumber eq
index gidNumber eq
index memberUid eq
index cn,sn,uid,displayName pres,sub,eq
# Samba 3.x
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq