[opensuse-factory] OpenLDAP users please take note of important changes in the recent upgrades
Hello fellow Tumbleweed users. If you are running OpenLDAP service on Tumbleweed, please take note of several important changes made in the recent package upgrades, that may require manual changes made to OpenLDAP configuration before the server can be brought online again. Please read the changelog thoroughly: https://build.opensuse.org/package/view_file/network:ldap/openldap2/openldap... While previously all database backend modules were built into the daemon executable (hence automatically loaded), now they require to be loaded on-demand. Depending on your choice of LDAP configuration style, you may need to take the following action: - If you use slapd.conf, please add directive "modulepath" and "moduleload" to the file, and specify all database engine modules used by your OpenLDAP setup. The default configuration contains an example for your reference: https://build.opensuse.org/package/view_file/network:ldap/openldap2/slapd.co... - If you use Online Configuration (cn=config), the same directives must be added to the configuration, however there are many ways to do this, and in general the procedure is more complicated. One way to accomplish it is: * Shut down OpenLDAP server. * Temporarily remove olcDatabase from cn=config by moving its entries out of /etc/openldap/slapd.d/cn=config * Start OpenLDAP server. * Use normal mechanism (ldapmodify/ldapadd) to add modulepath and moduleload directive. Here's a link to external website with more information on this topic: http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-modules * Stop OpenLDAP server and move olcDatabase entries back to original location. By making the upgrade, I overlooked Yast Authentication Server module and forgot to adept it to the changes, which means the module cannot be used to create new LDAP server instance - although it should still be able to manage an existing instance. The issue is on top of my priority list and will be addressed soon. And my apologise for the inconvenience. For now, if you wish to create a new OpenLDAP instance using Online Configuration (cn=config, similar to the Yast module's operation), please follow the instructions in: https://build.opensuse.org/package/view_file/network:ldap/openldap2/slapd.co... Here are the bug reports, feel free to follow them and comment on your thoughts: https://bugzilla.suse.com/show_bug.cgi?id=964924 https://bugzilla.suse.com/show_bug.cgi?id=959760 Kind regards, Howard -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Howard Guo wrote:
If you are running OpenLDAP service on Tumbleweed, please take note of several important changes made in the recent package upgrades,
Thanks for pointing out this.
While previously all database backend modules were built into the daemon executable (hence automatically loaded), now they require to be loaded on-demand. Depending on your choice of LDAP configuration style, you may need to take the following action: - If you use slapd.conf, please add directive "modulepath" and "moduleload" to the file, and specify all database engine modules used by your OpenLDAP setup. The default configuration contains an example for your reference: https://build.opensuse.org/package/view_file/network:ldap/openldap2/slapd.co...
IMHO it's not necessary to add (platform-specific) modulepath to slapd.conf or cn=config because the default path used with moduleload is defined at compile-time. I've double-checked my local installations based on the new packages on various platforms that there is *no* modulepath directive set. You would only need to set modulepath if you have custom backend or overlay modules installed into a separate location which is a very exotic use-case likely not relevant to 99.9% of the openSUSE/SLES users.
- If you use Online Configuration (cn=config), the same directives must be added to the configuration, however there are many ways to do this, and in general the procedure is more complicated.
Note that it was confirmed that static configuration (slapd.conf) will still be supported in upcoming OpenLDAP 2.5.
One way to accomplish it is: * Shut down OpenLDAP server. * Temporarily remove olcDatabase from cn=config by moving its entries out of /etc/openldap/slapd.d/cn=config
NO! Do not muck with the LDIF files in /etc/openldap/slapd.d/! You have been warned. While the LDIF files in /etc/openldap/slapd.d look just like text files the only officially supported way to directly tweak them is to 1. export cn=config with slapcat to an external LDIF file, 2. edit this external LDIF file, 3. remove *all* files in /etc/openldap/slapd.d/, 4. import external LDIF file to cn=config again.
Here's a link to external website with more information on this topic: http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-modules
Preferrably the OpenLDAP 2.4 Administrator's Guide should be read: http://www.openldap.org/doc/admin24/slapdconf2.html I'm also reading the openldap-technical mailing list with additional attention for postings referring to these openSUSE packages. Ciao, Michael.
participants (2)
-
Howard Guo
-
Michael Ströder