Symas OpenLDAP 2.5 upgrade information
- General upgrade information applies to all deployments
- Symas OpenLDAP 2.4 specific upgrade notes
General upgrade notes
The OpenLDAP 2.5 admin guide has an appendix on upgrading and is suggested reading. The following steps are distilled from that guide.
Slapd upgrades
- The pwdCheckModule option has been moved to the overlay configuration. Existing settings in password policy entries will be ignored. It will be necessary to add this configuration directive to the overlay when upgrading if it is currently in use.
- back-monitor: In 2.5 and prior, the managedInfo attribute in the cn=Log entry could be used to change the loglevel of the slapd process. In 2.5, monitorLogLevel can be used to change the slapd log level and monitorDebugLevel can be used to change the slapd debug level.
- Contrib lastbind module: The lastbind-precision configuration item has been moved into slapd and must be removed from the lastbind overlay configuration. The contrib lastbind overlay should only be deployed consumers and combined with chain to forward to its providers
- Contrib lastbind module: It is not possible to use the lastbind module at this time due to ITS#9725
- Backends for lloadd are now grouped in tiers specifying the balancing strategy. OpenLDAP 2.5 configurations must be updated to account for this change.
Symas OpenLDAP 2.4 Upgrade information
This section covers the upgrade process for moving from OpenLDAP 2.4 to OpenLDAP 2.5, and is broken into 3 sections.- General upgrade information that applies to all deployments
- Symas OpenLDAP Gold specific upgrade notes
- Symas OpenLDAP for Linux specific upgrade notes
- All back-bdb or back-hdb databases must be converted to back-mdb databases while on 2.4 before starting the upgrade process
- The slapd configuration should be backed up prior to upgrading.
- If the slapd-ldap or slapd-meta backends are being used, confirm they are not using keywords deprecated in OpenLDAP 2.4
- Stop the current 2.4 slapd process
- Take a backup of existing binary database(s) via slapcat. This should include any accesslog databases if using delta-syncrepl
- If using cn=config, export it via slapcat
- slapcat -n0 -l /path/to/slapd24-config.ldif
- cp slapd24-config.ldif slapd25-config.ldif
- If using slapd.conf
- mv slapd.conf slapd.conf.24
- cp slapd.conf.24 slapd.conf.25
- Uninstall the OpenLDAP 2.4 server and client binaries
- For Symas OpenLDAP Gold, remove symas-openldap-gold
- For RHEL Symas OpenLDAP for Linux, remove symas-openldap-clients symas-openldap-servers
- For Deb/Ubuntu Symas OpenLDAP for Linux, remove ldap-utils slapd
- Modify the existing configuration for OpenLDAP 2.5 as documented below depending on what binaries were in use
- Install the new Symas OpenLDAP 2.5 client and binary packages for the desired operating system
- Review systemd configuration
- If slapd.conf is in use
- cp slapd.conf.25 /opt/symas/etc/openldap/slapd.conf
- systemctl start slapd
- If cn=config is in use
- Move aside any existing /opt/symas/etc/openldap/slapd.d directory
- mkdir -p /opt/symas/etc/openldap/slapd.d
- slapadd -n 0 -l /path/to/slapd25-config.ldif -F /opt/symas/etc/openldap/slapd.d
- If a non-root user is used for the slapd process:
- chown -R slapduser:slapdgroup /opt/symas/etc/openldap/slapd.d
- systemctl start slapd
- Any existing /opt/symas/etc/openldap/slapd.d directory should be renamed prior to import
- The modulepath must be changed to /opt/symas/lib/openldap
- The OTP_2FA overlay was renamed to OTP in OpenLDAP 2.5 Any reference to "otp_2fa" in the configuration file must be replaced with "otp"
- If multival is in use the configuration must be updated for the 2.5 syntax and set the "default" keyword For example Symas OpenLDAP Gold multival settings of:
- Remoteauth TLS handling was rewritten
- remoteauth_tls_pin was renamed to remoteauth_tls_peerkey_hash
- The individual TLS configuration variables:
- remoteauth_cacert_dir
- remoteauth_cacert_file
- remoteauth_starttls
- remoteauth_validate_certs
- ppolicy overlay changes If the ppolicy (not ppolicy10) overlay is in use, then the ppolicy schema must be removed from the configuration file.
- ppolicy10 overlay changes If the ppolicy10 (not ppolicy) overlay is in use, then all references to "ppolicy10" must be changed to "ppolicy" in the configuration file.
- The modulepath must be changed to /opt/symas/lib/openldap
- If the current deployment uses back-hdb or back-bdb it should be upgraded to use back-mdb first
- slapd.conf/cn=config need to have the pidfile path adjusted to /var/symas/run
- slapd.conf/cn=config need to have the argsfile path adjusted to /var/symas/run
- The default database root is /var/symas/openldap-data. It may be desirable to change to this location when importing databases.
- If ppolicy is being used, the ppolicy schema must be removed from slapd.conf/cn=config
General upgrade notes
The OpenLDAP 2.5 admin guide has an appendix on upgrading and is suggested reading. The following steps are distilled from that guide.
Symas OpenLDAP Gold specific upgrade notes
The following upgrade notes are specific to Symas OpenLDAP Gold deployments.
multivallo 10
multivalhi 50
Would become:
multival default 50,10
For config databases, it would be: olcDbMultival: default 50,10
Existing configurations must update accordingly.
Symas OpenLDAP for Linux upgrade notes
The following upgrade notes are specific to Symas OpenLDAP for Linux deployments
Need help? Email: [email protected]