slaptest Command in Linux: Validate OpenLDAP slapd Configuration

slaptest parses and checks OpenLDAP slapd configuration before service startup or a configuration change on RHEL-family servers using openldap-servers.

Published

Updated

Read time 8 min read

Reviewed byDeepak Prasad

slaptest Command in Linux: Validate OpenLDAP slapd Configuration
About slaptest parses and checks OpenLDAP slapd configuration before service startup or a configuration change on RHEL-family servers using openldap-servers.
Tested on Rocky Linux 10.2; OpenLDAP 2.6.10; openldap-servers from EPEL
Package openldap-servers (apt/deb) · openldap-servers (dnf/rpm)
Man page slaptest(8)
Privilege root
Distros RHEL-family with openldap-servers (EPEL)
Related guide

slaptest — quick reference

Validate configuration

slaptest parses slapd configuration and checks its sanity. It does not authenticate as an LDAP user; -u is dry-run mode, which allows configuration checking even if databases cannot be opened. On this lab host the configuration directory is /etc/openldap/slapd.d, database 0 is cn=config, and database 2 is the MDB data backend for dc=example,dc=com.

When to use Command
Check the default server configuration sudo slaptest
Check cn=config without opening databases sudo slaptest -u
Name the RHEL dynamic configuration directory explicitly sudo slaptest -F /etc/openldap/slapd.d
Check one database number sudo slaptest -F /etc/openldap/slapd.d -n 2
Check only the config database sudo slaptest -F /etc/openldap/slapd.d -n 0
Suppress all normal output and use only the exit status sudo slaptest -Q -F /etc/openldap/slapd.d
Print verbose diagnostic information sudo slaptest -v -F /etc/openldap/slapd.d
Raise debug detail (often to syslog) sudo slaptest -d 256 -F /etc/openldap/slapd.d
Pass a generic option such as schema checking sudo slaptest -o schema-check=no -F /etc/openldap/slapd.d

Help

When to use Command
Open the full manual man slaptest
Confirm the installed OpenLDAP build slapd -V

slaptest — command syntax

Synopsis from OpenLDAP 2.6:

text
/usr/sbin/slaptest [-d debug-level] [-f slapd.conf] [-F confdir] [-ndbnum]
[-o option[=value]] [-Q] [-u] [-v]

-F reads a cn=config directory and -n limits checking to a database number. -u is dry-run mode, not an LDAP-user identity check. -Q intentionally emits no normal message, so scripts must inspect its exit status. -d increases diagnostic detail; on many builds most messages go to syslog rather than the terminal.


slaptest — command examples

Essential Check the server's default configuration

Run the basic check after an LDAP configuration change and before restarting slapd. The command reads the default configuration location selected by this package build.

bash
sudo slaptest

On a valid configuration, the command reports success.

output
config file testing succeeded

This confirms the parser accepted the configuration; it does not prove client binds, TLS certificates, DNS, or ACL behavior.

Essential Check configuration without opening databases

Use -u when you want to validate configuration syntax even when the data backends are unavailable. This does not run as an LDAP user.

bash
sudo slaptest -u -F /etc/openldap/slapd.d

Sample output:

output
config file testing succeeded

The success line means the configuration passed the dry-run check; investigate any warning or nonzero exit status before starting the service.

Essential Test the RHEL cn=config directory explicitly

On RHEL-family installations, name /etc/openldap/slapd.d so the command cannot fall back to a different default configuration source.

bash
sudo slaptest -F /etc/openldap/slapd.d

Valid configuration normally prints config file testing succeeded. This is the check to place in a change runbook after editing cn=config.

Common Test only the cn=config database

Limit the check to database 0 when isolating a dynamic-configuration problem.

bash
sudo slaptest -F /etc/openldap/slapd.d -n 0

Sample output:

output
config file testing succeeded

Database 0 is always cn=config; a failure here usually points to schema, module, or olc* syntax rather than user data.

Common Test one configured data database

Limit the check to one database when isolating a data-backend problem. Confirm the database number on your host before using it in a script.

bash
sudo slaptest -F /etc/openldap/slapd.d -n 2

Sample output:

output
config file testing succeeded

Index 2 is the lab MDB database for dc=example,dc=com; it is not a universal OpenLDAP convention.

Common Use quiet mode in a script

-Q leaves the exit code as the only success signal. It is useful in automation after you have already tested the command interactively.

bash
sudo slaptest -Q -F /etc/openldap/slapd.d

On success there is no output and the exit status is 0. In a script, branch on $? rather than looking for the normal success sentence.

Common Raise debug while investigating a failure

-d increases diagnostic detail. On success you may still see only the normal success line; on failure, check stderr and syslog for the first reported error.

bash
sudo slaptest -d 256 -F /etc/openldap/slapd.d

Sample output:

output
config file testing succeeded

When configuration is valid, treat -d as preparation for failure cases — rerun with the same level after the first error appears.

Advanced Pass a generic -o option

-o forwards generic options documented for slap tools. Some options apply only to import utilities and produce a warning here.

bash
sudo slaptest -o schema-check=no -F /etc/openldap/slapd.d

Sample output:

output
schema-check meaningless for tool.
config file testing succeeded

The warning shows schema-check is not meaningful for slaptest; the configuration still parsed successfully.

Advanced Request verbose details while debugging

When a normal check is insufficient, add -v and capture the output with the change record. Do not paste secrets from configuration into tickets.

bash
sudo slaptest -v -F /etc/openldap/slapd.d

On this build the visible result is still the standard success line when configuration is valid. Use journal or syslog alongside -v when you need module-load traces.

Advanced Gate startup after an offline slapadd restore

Run slaptest after slapadd and before systemctl start slapd in a restore runbook.

bash
sudo slaptest -F /etc/openldap/slapd.d && echo "safe to attempt start"

Sample output:

output
config file testing succeeded
safe to attempt start

A passing check means configuration parsing succeeded; follow with ldapsearch after the service is up to confirm data visibility.


slaptest — when to use / when not

Use slaptest whenUse something else when
  • You changed `cn=config` or a legacy `slapd.conf` and need a pre-start sanity check
  • You are diagnosing why `slapd` does not start
  • You need a scriptable configuration validation gate after slapadd
  • You want to test one database index in isolation

slaptest vs ldapsearch

slaptest ldapsearch
Validates Local slapd configuration parsing LDAP connectivity, bind, ACLs, and entries
Connection Opens local configuration Uses LDAP/LDAPS/ldapi URI
Best time Before start or after config edit After service is running
Success proves Configuration is syntactically sane A client can perform the requested search
MDB data files May open backends unless -u dry-run Reads through the running server only

A successful slaptest should be followed by a targeted ldapsearch after service startup when validating a production change. slaptest does not replace an export sanity check with slapcat when you need to confirm directory contents on disk.


These commands cover the server configuration, data maintenance, and client verification workflow.

Command One line
ldapsearch Test a live query and inspect directory entries.
ldapmodify Apply online configuration or entry changes through LDAP.
slapcat Export server configuration or data to LDIF.
slapadd Load LDIF into an offline backend.
slappasswd Generate password hashes for LDIF entries.

Browse the full Linux commands cheat sheet reference.


slaptest — interview corner

What does slaptest validate?

It opens and parses OpenLDAP configuration and checks its sanity. It is a configuration test, not a complete service-health test.

A strong answer is:

"I run slaptest before restarting slapd after configuration changes; then I use ldapsearch to verify the running service."

What does slaptest -u do?

It enables dry-run mode. Configuration can pass even if databases cannot be opened; it does not select an LDAP user.

A strong answer is:

"The -u flag is dry run. It checks configuration without failing merely because a backend cannot be opened."

How should a script use slaptest -Q?

Because -Q suppresses normal output, the script should treat exit status 0 as success and any other status as failure.

A strong answer is:

"With -Q I inspect the exit code, not stdout, and fail the deployment before restarting slapd if it is nonzero."

Does config file testing succeeded prove LDAP is healthy?

No. It does not test listener reachability, certificates, authentication, ACLs, replication, or application queries.

A strong answer is:

"It proves configuration parsing succeeded. I still validate the running service with a least-privilege LDAP query and review logs."

What does slaptest -n 0 check?

It limits validation to database 0, the cn=config backend.

A strong answer is:

"I use -n 0 after olc changes and -n 2 when I want to focus on the data MDB backend on our lab server."

Where does slaptest fit in a slapadd restore?

After an offline slapadd load and before systemctl start slapd. It catches config syntax problems early; ldapsearch confirms live data afterward.

A strong answer is:

"slapadd loads data offline, slaptest gates startup, ldapsearch proves the directory answers clients."


Troubleshooting

Symptom Likely cause Fix
config file testing failed Syntax, schema, include, module, or path error Read the first error, correct that source, and rerun slaptest.
slaptest -Q prints nothing Quiet mode is working Check $?; 0 means success.
-u unexpectedly passes while data is unavailable Dry-run mode does not require database opening Run a normal check without -u and then test the running service separately.
Default check reads the wrong configuration Multiple config sources or packaging defaults Use -F /etc/openldap/slapd.d explicitly.
Test succeeds but clients fail Network, TLS, bind DN, ACL, or service issue Start or reload slapd and validate with ldapsearch and server logs.
-d shows no extra detail on success Debug may go to syslog on this build Inspect journalctl -u slapd while rerunning with a failing config.
-o schema-check=no warns then succeeds Option is meaningful for import tools, not slaptest Ignore the warning or remove the irrelevant option from the test command.
-n 2 fails after data restore MDB path, permissions, or corrupt files from interrupted slapadd Verify ownership, restore from slapcat backup, and rerun slapadd -u -v on a disposable copy.
Config passes but slapd still exits immediately Runtime module, certificate, or socket conflict Compare slaptest success with slapd -d foreground logs for errors after startup.

References

Rohan Timalsina

is a technical writer and Linux enthusiast who writes practical guides on Linux commands and system administration. He focuses on simplifying complex topics through clear explanations.