slaptest — quick reference
Validate configuration
slaptest parses slapd configuration and checks its sanity. It does not authenticate as an LDAP user; -u is dry-run mode, which allows configuration checking even if databases cannot be opened. On this lab host the configuration directory is /etc/openldap/slapd.d, database 0 is cn=config, and database 2 is the MDB data backend for dc=example,dc=com.
| When to use | Command |
|---|---|
| Check the default server configuration | sudo slaptest |
Check cn=config without opening databases |
sudo slaptest -u |
| Name the RHEL dynamic configuration directory explicitly | sudo slaptest -F /etc/openldap/slapd.d |
| Check one database number | sudo slaptest -F /etc/openldap/slapd.d -n 2 |
| Check only the config database | sudo slaptest -F /etc/openldap/slapd.d -n 0 |
| Suppress all normal output and use only the exit status | sudo slaptest -Q -F /etc/openldap/slapd.d |
| Print verbose diagnostic information | sudo slaptest -v -F /etc/openldap/slapd.d |
| Raise debug detail (often to syslog) | sudo slaptest -d 256 -F /etc/openldap/slapd.d |
| Pass a generic option such as schema checking | sudo slaptest -o schema-check=no -F /etc/openldap/slapd.d |
Help
| When to use | Command |
|---|---|
| Open the full manual | man slaptest |
| Confirm the installed OpenLDAP build | slapd -V |
slaptest — command syntax
Synopsis from OpenLDAP 2.6:
/usr/sbin/slaptest [-d debug-level] [-f slapd.conf] [-F confdir] [-ndbnum]
[-o option[=value]] [-Q] [-u] [-v]-F reads a cn=config directory and -n limits checking to a database number. -u is dry-run mode, not an LDAP-user identity check. -Q intentionally emits no normal message, so scripts must inspect its exit status. -d increases diagnostic detail; on many builds most messages go to syslog rather than the terminal.
slaptest — command examples
Essential Check the server's default configuration
Run the basic check after an LDAP configuration change and before restarting slapd. The command reads the default configuration location selected by this package build.
sudo slaptestOn a valid configuration, the command reports success.
config file testing succeededThis confirms the parser accepted the configuration; it does not prove client binds, TLS certificates, DNS, or ACL behavior.
Essential Check configuration without opening databases
Use -u when you want to validate configuration syntax even when the data backends are unavailable. This does not run as an LDAP user.
sudo slaptest -u -F /etc/openldap/slapd.dSample output:
config file testing succeededThe success line means the configuration passed the dry-run check; investigate any warning or nonzero exit status before starting the service.
Essential Test the RHEL cn=config directory explicitly
On RHEL-family installations, name /etc/openldap/slapd.d so the command cannot fall back to a different default configuration source.
sudo slaptest -F /etc/openldap/slapd.dValid configuration normally prints config file testing succeeded. This is the check to place in a change runbook after editing cn=config.
Common Test only the cn=config database
Limit the check to database 0 when isolating a dynamic-configuration problem.
sudo slaptest -F /etc/openldap/slapd.d -n 0Sample output:
config file testing succeededDatabase 0 is always cn=config; a failure here usually points to schema, module, or olc* syntax rather than user data.
Common Test one configured data database
Limit the check to one database when isolating a data-backend problem. Confirm the database number on your host before using it in a script.
sudo slaptest -F /etc/openldap/slapd.d -n 2Sample output:
config file testing succeededIndex 2 is the lab MDB database for dc=example,dc=com; it is not a universal OpenLDAP convention.
Common Use quiet mode in a script
-Q leaves the exit code as the only success signal. It is useful in automation after you have already tested the command interactively.
sudo slaptest -Q -F /etc/openldap/slapd.dOn success there is no output and the exit status is 0. In a script, branch on $? rather than looking for the normal success sentence.
Common Raise debug while investigating a failure
-d increases diagnostic detail. On success you may still see only the normal success line; on failure, check stderr and syslog for the first reported error.
sudo slaptest -d 256 -F /etc/openldap/slapd.dSample output:
config file testing succeededWhen configuration is valid, treat -d as preparation for failure cases — rerun with the same level after the first error appears.
Advanced Pass a generic -o option
-o forwards generic options documented for slap tools. Some options apply only to import utilities and produce a warning here.
sudo slaptest -o schema-check=no -F /etc/openldap/slapd.dSample output:
schema-check meaningless for tool.
config file testing succeededThe warning shows schema-check is not meaningful for slaptest; the configuration still parsed successfully.
Advanced Request verbose details while debugging
When a normal check is insufficient, add -v and capture the output with the change record. Do not paste secrets from configuration into tickets.
sudo slaptest -v -F /etc/openldap/slapd.dOn this build the visible result is still the standard success line when configuration is valid. Use journal or syslog alongside -v when you need module-load traces.
Advanced Gate startup after an offline slapadd restore
Run slaptest after slapadd and before systemctl start slapd in a restore runbook.
sudo slaptest -F /etc/openldap/slapd.d && echo "safe to attempt start"Sample output:
config file testing succeeded
safe to attempt startA passing check means configuration parsing succeeded; follow with ldapsearch after the service is up to confirm data visibility.
slaptest — when to use / when not
| Use slaptest when | Use something else when |
|---|---|
|
|
slaptest vs ldapsearch
| slaptest | ldapsearch | |
|---|---|---|
| Validates | Local slapd configuration parsing |
LDAP connectivity, bind, ACLs, and entries |
| Connection | Opens local configuration | Uses LDAP/LDAPS/ldapi URI |
| Best time | Before start or after config edit | After service is running |
| Success proves | Configuration is syntactically sane | A client can perform the requested search |
| MDB data files | May open backends unless -u dry-run |
Reads through the running server only |
A successful slaptest should be followed by a targeted ldapsearch after service startup when validating a production change. slaptest does not replace an export sanity check with slapcat when you need to confirm directory contents on disk.
Related commands
These commands cover the server configuration, data maintenance, and client verification workflow.
| Command | One line |
|---|---|
| ldapsearch | Test a live query and inspect directory entries. |
| ldapmodify | Apply online configuration or entry changes through LDAP. |
| slapcat | Export server configuration or data to LDIF. |
| slapadd | Load LDIF into an offline backend. |
| slappasswd | Generate password hashes for LDIF entries. |
Browse the full Linux commands cheat sheet reference.
slaptest — interview corner
What does slaptest validate?
It opens and parses OpenLDAP configuration and checks its sanity. It is a configuration test, not a complete service-health test.
A strong answer is:
"I run slaptest before restarting slapd after configuration changes; then I use ldapsearch to verify the running service."
What does slaptest -u do?
It enables dry-run mode. Configuration can pass even if databases cannot be opened; it does not select an LDAP user.
A strong answer is:
"The -u flag is dry run. It checks configuration without failing merely because a backend cannot be opened."
How should a script use slaptest -Q?
Because -Q suppresses normal output, the script should treat exit status 0 as success and any other status as failure.
A strong answer is:
"With -Q I inspect the exit code, not stdout, and fail the deployment before restarting slapd if it is nonzero."
Does config file testing succeeded prove LDAP is healthy?
No. It does not test listener reachability, certificates, authentication, ACLs, replication, or application queries.
A strong answer is:
"It proves configuration parsing succeeded. I still validate the running service with a least-privilege LDAP query and review logs."
What does slaptest -n 0 check?
It limits validation to database 0, the cn=config backend.
A strong answer is:
"I use -n 0 after olc changes and -n 2 when I want to focus on the data MDB backend on our lab server."
Where does slaptest fit in a slapadd restore?
After an offline slapadd load and before systemctl start slapd. It catches config syntax problems early; ldapsearch confirms live data afterward.
A strong answer is:
"slapadd loads data offline, slaptest gates startup, ldapsearch proves the directory answers clients."
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
config file testing failed |
Syntax, schema, include, module, or path error | Read the first error, correct that source, and rerun slaptest. |
slaptest -Q prints nothing |
Quiet mode is working | Check $?; 0 means success. |
-u unexpectedly passes while data is unavailable |
Dry-run mode does not require database opening | Run a normal check without -u and then test the running service separately. |
| Default check reads the wrong configuration | Multiple config sources or packaging defaults | Use -F /etc/openldap/slapd.d explicitly. |
| Test succeeds but clients fail | Network, TLS, bind DN, ACL, or service issue | Start or reload slapd and validate with ldapsearch and server logs. |
-d shows no extra detail on success |
Debug may go to syslog on this build | Inspect journalctl -u slapd while rerunning with a failing config. |
-o schema-check=no warns then succeeds |
Option is meaningful for import tools, not slaptest |
Ignore the warning or remove the irrelevant option from the test command. |
-n 2 fails after data restore |
MDB path, permissions, or corrupt files from interrupted slapadd |
Verify ownership, restore from slapcat backup, and rerun slapadd -u -v on a disposable copy. |
Config passes but slapd still exits immediately |
Runtime module, certificate, or socket conflict | Compare slaptest success with slapd -d foreground logs for errors after startup. |
References
- OpenLDAP slaptest(8) manual{: target="_blank" rel="noopener" }
- OpenLDAP slapd(8) manual{: target="_blank" rel="noopener" }
- OpenLDAP Administrator's Guide — configuration{: target="_blank" rel="noopener" }
- Install and configure OpenLDAP on RHEL Linux
- Configure cn=config with the MDB backend
- OpenLDAP ACL examples
