Symas OpenLDAP 2.6 Upgrade Information

The OpenLDAP 2.6 admin guide has an appendix on upgrading and is suggested reading. The following steps are distilled from that guide.

Slapd upgrades

• The pwdCheckModule option has been moved to the overlay configuration. Existing settings in password policy entries will be ignored. It will be necessary to add this configuration directive to the overlay when upgrading if it is currently in use.
• back-monitor: In 2.5 and prior, the managedInfo attribute in the cn=Log entry could be used to change the loglevel of the slapd process. In 2.6, monitorLogLevel can be used to change the slapd log level and monitorDebugLevel can be used to change the slapd debug level.

Lloadd upgrades

• Backends for lloadd are now grouped in tiers specifying the balancing strategy. OpenLDAP 2.6 configurations must be updated to account for this change.

Upgrade Instructions

General Pre-upgrade Notes

• All back-bdb or back-hdb databases must be converted to back-mdb databases while on 2.4 before starting the upgrade process.
• The slapd configuration should be backed up prior to upgrading.
• If the slapd-ldap or slapd-meta backends are being used, confirm they are not using keywords deprecated in OpenLDAP 2.4.

Upgrade OpenLDAP 2.4 to OpenLDAP 2.6

This section covers the upgrade process for moving from OpenLDAP 2.4 to OpenLDAP 2.6 and is broken into 3 sections:

• General Upgrade Procedure information that applies to all deployments
• Symas OpenLDAP Gold specific upgrade notes
• Symas OpenLDAP for Linux specific upgrade notes

---

General Upgrade Procedure

---

1. Stop the current 2.4 slapd process.
2. Take a backup of existing binary database(s) via slapcat. This should include any accesslog databases if using delta-syncrepl.
3. If using cn=config, export it via slapcat:
1. slapcat -n0 -l /path/to/slapd24-config.ldif
2. cp slapd24-config.ldif slapd26-config.ldif
4. If using slapd.conf:
1. mv slapd.conf slapd.conf.24
2. cp slapd.conf.24 slapd.conf.26
5. Uninstall the OpenLDAP 2.4 server and client binaries:
• For Symas OpenLDAP Gold, remove symas-openldap-gold.
• For RHEL Symas OpenLDAP for Linux, remove symas-openldap-clients symas-openldap-servers.
• For Debian/Ubuntu Symas OpenLDAP for Linux, remove ldap-utils slapd.
6. Modify the existing configuration for OpenLDAP 2.6 as documented below depending on what binaries were in use.
7. Install the new Symas OpenLDAP 2.6 client and binary packages for the desired operating system.
8. Review systemd configuration.
9. If slapd.conf is in use:
• cp slapd.conf.26 /opt/symas/etc/openldap/slapd.conf
10. If cn=config is in use:
1. Move aside any existing /opt/symas/etc/openldap/slapd.d directory.
2. mkdir -p /opt/symas/etc/openldap/slapd.d
3. slapadd -n 0 -l /path/to/slapd26-config.ldif -F /opt/symas/etc/openldap/slapd.d
4. If a non-root user is used for the slapd process:
• chown -R slapduser:slapdgroup /opt/symas/etc/openldap/slapd.d
11. Start slapd:
    • systemctl start slapd

 

---

Symas OpenLDAP Gold specific upgrade notes

---

The following upgrade notes are specific to Symas OpenLDAP Gold deployments.

• Any existing /opt/symas/etc/openldap/slapd.d directory should be renamed prior to import
• The modulepath must be changed to /opt/symas/lib/openldap
• The OTP_2FA overlay was renamed to OTP in OpenLDAP 2.5
Any reference to "otp_2fa" in the configuration file must be replaced with "otp"
• If multival is in use the configuration must be updated for the 2.6 syntax and set the "default" keyword
For example Symas OpenLDAP Gold multival settings of:
multivallo 10
multivalhi 50
Would become:
multival default 50,10
For config databases, it would be: olcDbMultival: default 50,10

• Remoteauth TLS handling was rewritten
• remoteauth_tls_pin was renamed to remoteauth_tls_peerkey_hash
• The individual TLS configuration variables:
• remoteauth_cacert_dir
• remoteauth_cacert_file
• remoteauth_starttls
• remoteauth_validate_certs
Are replaced with a single keyword: remoteauth_tls
Existing configurations must update accordingly.
• ppolicy overlay changes
If the ppolicy (not ppolicy10) overlay is in use, then the ppolicy schema must be removed from the configuration file.
• ppolicy10 overlay changes
If the ppolicy10 (not ppolicy) overlay is in use, then all references to "ppolicy10" must be changed to "ppolicy" in the configuration file.

 

---

Symas OpenLDAP for Linux upgrade notes

---

The following upgrade notes are specific to Symas OpenLDAP for Linux deployments

• The modulepath must be changed to /opt/symas/lib/openldap
• If the current deployment uses back-hdb or back-bdb it should be upgraded to use back-mdb first
• slapd.conf/cn=config need to have the pidfile path adjusted to /var/symas/run
• slapd.conf/cn=config need to have the argsfile path adjusted to /var/symas/run
• The default database root is /var/symas/openldap-data. It may be desirable to change to this location when importing databases.
• If ppolicy is being used, the ppolicy schema must be removed from slapd.conf/cn=config

 
Need help? Email: support@symas.com