OpenLdapCnConfigMigration

Differences between revisions 3 and 4
Revision 3 as of 2008-05-30 23:05:06
Size: 3344
Editor: dsl-216-254-165-243
Comment:
Revision 4 as of 2008-06-05 21:19:36
Size: 3161
Editor: dsl-216-254-165-243
Comment:
Deletions are marked like this. Additions are marked like this.
Line 26: Line 26:

== Assumptions ==		  * Chris install the slapd package and can use the new cn=config tree to manage his LDAP tree using standard LDAP command tools.
 * Don upgrades his LDAP directory and can use LDAP queries and updates to change the ACLs of object in the directory.
 * Erwan installs an application that uses an ldap schema. After installing, the new features are automatically available in the LDAP directory.
Line 32: Line 33:
The new configuration backend in explained in the OpenLDAP administrator Guide: http://www.openldap.org/doc/admin24/slapdconf2.html
Line 42: Line 44:
 1. Enable the config database using rootdn="cn=admin,cn=config" and the root password stored in debconf.  1. Enable the config database using rootdn="cn=admin,cn=config". The password will either be extracted from the existing database or the user will be prompted to enter a new one.
Line 44: Line 46:
 3. Rename the old slapd.conf to slapd.conf.bak.  3. Rename the old slapd.conf to slapd.conf.bak and update /etc/default/slapd to use the new cn=config backend.
Line 47: Line 49:

=== UI Changes ===

## Should cover changes required to the UI, or specific UI that is required to implement this

=== Code Changes ===

## Code changes should include an overview of what needs to change, and in some cases even the specific details.

=== Migration ===

## Include:
## * data migration, if any
## * redirects from old URLs to new ones, if any
## * how users will be pointed to the new way of doing things, if necessary.

== Test/Demo Plan ==

## It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during testing, and to show off after release.

## This need not be added or completed until the specification is nearing beta.

Summary

OpenLDAP version 2.3 introduced a special DIT called cn=config that can be used to replace the slapd.conf file.

Release Note

Rationale

slapd.conf has certain drawbacks: adding schema files creating new databases requires editing slapd.conf. Future version of openldap will drop support of slapd.conf.

cn=config enables programatic access to slapd configuration, such as loading additional schemas.

Use Cases

  • Chris install the slapd package and can use the new cn=config tree to manage his LDAP tree using standard LDAP command tools.
  • Don upgrades his LDAP directory and can use LDAP queries and updates to change the ACLs of object in the directory.
  • Erwan installs an application that uses an ldap schema. After installing, the new features are automatically available in the LDAP directory.

Design

The new configuration backend in explained in the OpenLDAP administrator Guide: http://www.openldap.org/doc/admin24/slapdconf2.html

Implementation

cn=config migration

A new installation will enable cn=config by default.

On upgrade, the postinst script will try convert slapd.conf to cn=config:

  1. Enable the config database using rootdn="cn=admin,cn=config". The password will either be extracted from the existing database or the user will be prompted to enter a new one.
  2. Convert slapd.conf using slapd -f and -F options.
  3. Rename the old slapd.conf to slapd.conf.bak and update /etc/default/slapd to use the new cn=config backend.

[http://www.zytrax.com/books/ldap/ch6/slapd-config.html Chapter 6: OpenLDAP using cn=config - Converting to use cn=config]

Outstanding Issues

BoF agenda and discussion

CategorySpec

OpenLdapCnConfigMigration (last edited 2008-08-06 16:36:04 by localhost)