Hello all,
We are planning an upgrade from OpenLDAP 2.4 to 2.6. We would like some guidance on the upgrade path.
We are currently looking over the upgrade guides: - https://www.openldap.org/doc/admin25/appendix-upgrading.html - https://www.openldap.org/doc/admin26/appendix-upgrading.html
Currently, we build OpenLDAP from source to create the RPMs and then install them. We are building version 2.4.56-4. Originally they were built for CentOS 7, but we've recently converted to AWS AL2023. We have 3 mdb write instances (synced to each other) and then many hdb read instances (consumers) syncing to those.
The following are the RPMs built: - openldap-2.4.56-4.el7.x86_64.rpm - openldap-clients-2.4.56-4.el7.x86_64.rpm - openldap-compat-2.4.56-4.el7.x86_64.rpm - openldap-debuginfo-2.4.56-4.el7.x86_64.rpm - openldap-devel-2.4.56-4.el7.x86_64.rpm - openldap-servers-2.4.56-4.el7.x86_64.rpm
We plan on addressing the components listed in those guides earlier and to build/install version 2.6 as we have before. We have run into an issue before where CPU spiked on our consumers when we tried to change them to mdb which stopped the 2.5 upgrade but now we're thinking of upgrading and changing the backend to mdb at the same time for the upgrade. We wanted to see if anyone has any advice or caveats that they've run into during their upgrades and to see if this general upgrade path is good.
We appreciate any help anyone can offer with the OpenLDAP upgrade. Thanks!
Hi,
I recently moved our LDAP-Servers from 2.4 to 2.6 without any problems. I use the RPMS for Rocky Linux 9.
We have a master/replica infrastructure with a mirrored master and three replica servers. I installed the new servers in parallel to the old structure.
- I exported the cn=config database of the master server into an ldif file. In the ldif file, I changed the olcServerID entries from the old to the new master servers.
- I changed the Mirrormode entry:
# olcMirrorMode: TRUE olcMultiProvider: TRUE
- I deleted the ppolicy schema entry, because it's not supported in 2.6:
# dn: cn={8}ppolicy,cn=schema,cn=config
- I changed the syncrepl-directives of the mirrored masters to point to the new servers:
dn: olcDatabase={0}config,cn=config olcSyncrepl: {0}rid=003 provider=ldap://ldap-master-1 olcSyncrepl: {1}rid=004 provider=ldap://ldap-master-2
dn: olcDatabase={2}mdb,cn=config olcSyncrepl: {0}rid=001 provider=ldap://ldap-master-1 olcSyncrepl: {1}rid=002 provider=ldap://ldap-master-2
- I deleted the slapd.d directory of the new servers:
# rm -rf /etc/openldap/slapd.d
-I created the new database directories:
# cd /var/lib/ldap # mkdir db1 log # chown ldap:ldap *
- I imported the ldif file to the new master:
# slapadd -n0 -l config.ldif -F /etc/openldap/slapd.d -w # chown -R ldap:ldap slapd.d
- Befor exporting the user data, I changed the database of the old master servers to read-only:
dn: olcDatabase={2}mdb,cn=config olcSuffix: dc=mydomain,dc=de olcReadOnly: TRUE
- I exported the user data of the old servers into an ldif file:
# /usr/sbin/slapcat -H ldap:///dc=mydomain,dc=de??sub? -l user.ldif
Befor importing the file to the new server, I deleted the contextCSN attribute of the entries in the file.
# rm -f /var/lib/ldap/db1/* # slapadd -n2 -l user.ldif -w # chown -R ldap:ldap /var/lib/ldap/db1 # systemctl start slapd
Installing the replica servers was nearly the same. They get their data from the master server.
If you use SELinux, you have to configure it for ldap:
# dnf install policycoreutils-python-utils # semanage fcontext -a -t slapd_log_t /var/log/slapd.log # restorecon -Rv /etc/openldap
In the end, I stopped the old servers, switched the service ip of our ldap to the new replica servers and the clients work as before with just a very short break.
Am 14.10.2024 um 21:03 schrieb gsafcik+ldap@gmail.com:
Hello all,
We are planning an upgrade from OpenLDAP 2.4 to 2.6. We would like some guidance on the upgrade path.
We are currently looking over the upgrade guides:
- https://www.openldap.org/doc/admin25/appendix-upgrading.html
- https://www.openldap.org/doc/admin26/appendix-upgrading.html
Currently, we build OpenLDAP from source to create the RPMs and then install them. We are building version 2.4.56-4. Originally they were built for CentOS 7, but we've recently converted to AWS AL2023. We have 3 mdb write instances (synced to each other) and then many hdb read instances (consumers) syncing to those.
The following are the RPMs built:
- openldap-2.4.56-4.el7.x86_64.rpm
- openldap-clients-2.4.56-4.el7.x86_64.rpm
- openldap-compat-2.4.56-4.el7.x86_64.rpm
- openldap-debuginfo-2.4.56-4.el7.x86_64.rpm
- openldap-devel-2.4.56-4.el7.x86_64.rpm
- openldap-servers-2.4.56-4.el7.x86_64.rpm
We plan on addressing the components listed in those guides earlier and to build/install version 2.6 as we have before. We have run into an issue before where CPU spiked on our consumers when we tried to change them to mdb which stopped the 2.5 upgrade but now we're thinking of upgrading and changing the backend to mdb at the same time for the upgrade. We wanted to see if anyone has any advice or caveats that they've run into during their upgrades and to see if this general upgrade path is good.
We appreciate any help anyone can offer with the OpenLDAP upgrade. Thanks!
Regards, Dirk
--On Tuesday, October 15, 2024 10:16 AM +0200 Dirk Kastens dirk.kastens@uni-osnabrueck.de wrote:
- I deleted the ppolicy schema entry, because it's not supported in 2.6:
# dn: cn={8}ppolicy,cn=schema,cn=config
Slight wording nit. It was moved to be contained in the ppolicy module rather than as a separate schema item, since having it as a separate schema item caused issues when the schema was changed due to later ppolicy specification changes.
- I exported the user data of the old servers into an ldif file:
# /usr/sbin/slapcat -H ldap:///dc=mydomain,dc=de??sub? -l user.ldif
Probably better just to use slapcat with the -b option rather than a URI here.
--Quanah
openldap-technical@openldap.org
-
Dirk Kastens -
gsafcik+ldap@gmail.com -
Quanah Gibson-Mount