LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-09-2007, 02:39 AM   #1
Xera
LQ Newbie
 
Registered: Oct 2006
Location: NW Ohio
Distribution: RHEL 4
Posts: 8

Rep: Reputation: 0
Replacing & Upgrading LDAP server from OpenLDAP 2.2 to current version (2.3.32)


We're having intermittent issues with our current LDAP box appearing to stop responding. As a precautionary measure, my company has decided to simultaneously replace the server (to eliminate possibility of hardware issues) and upgrade to the latest version of OpenLDAP. I am feeling as though I seriously got in over my head (2 very basic RHEL training classes and a bit of fumbling are the only experience I've got) I've tried scanning through a few LDAP tutorials, and googled LDAP migrations, but the closest info I found was for upgrading on the same box from say, 2.1 to 2.2 or 2.2 to 2.3, and I'm concerned that by using a completely separate server, we've added additional considerations.

I've installed Fedora Core 6 on my new server (old one was running core 2), applied all the patches/updates, and done my best to ensure it's not responding on any unnecessary ports (no sendmail, cups, telnet, etc.) I've run the installation for the OpenLDAP software as per the quick-start guide I found here http://www.openldap.org/doc/admin23/quickstart.html and there were no issues. I've gotten to step #8 - Editing the config file, and now I'm starting to have some questions.
After digging out the instructions for vi again (I can use remote desktop type stuff to get into X, but it's hideously choppy, so I'm using an ssh connection) I started making changes. Here's the slapd.conf from the production server with my questions inserted:
Quote:
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
I was initially informed that we're running version 2.2 something of LDAP. Does this actually indicate we're running an older version, and will that complicate this migration? (I'm wondering now if the person who told me that was confused about the version of Core vs. the version of LDAP software.)
Quote:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema


include /usr/local/etc/openldap/schema/qmaildhcp.schema

#include /usr/local/etc/openldap/schema/sendmail.schema
include /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema
None of the items in bold were listed in the new config. Some of these files are already in that directory, but the qmaildhcp.schema, sendmail.schema, and RADIUS-LDAPv3.schema are not. Does anyone have a link to a decent summary of what schema are (ldap man page didn't even mention them) so I can find out what these are for, and whether or not I need to copy them over, modify the existing ones, etc?
Quote:
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
In the file I'm editing on the new server, these pathnames don't include "/var" I'm torn as to whether or not to change the paths listed so they match especially since I don't see a slapd.pid or slapd.args in either directory on the new server. (They are both in the appropriate directory on the old one.) Given the change in version, what would be the the best option: copy them from the existing server, or get them another way (are these files missing perhaps b/c I haven't finished the quick-start steps, like starting slapd?)

Quote:
loglevel 256
sizelimit 500000
<snip> (removing a bunch of commented out stuff)
database ldbm
suffix "dc=bcs,dc=com"

#suffix "o=My Organization Name,c=US"
rootdn "cn=Manager,dc=bcs,dc=com"
#rootdn "cn=Manager,o=My Organization Name,c=US"
#updatedn "cn=Manager,dc=bcs,dc=com"
This bit varies from the new one... my understanding is that I should make the new one match the old one exactly - please let me know if this is patently incorrect.(following is what's in the new one, in case it matters):
Quote:
database bdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
Quote:
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw <snip>
I duplicated this pw in the new config.
Quote:
# The database directory UST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.

directory /usr/local/var/openldap-ldbm
I am assuming (hate assuming) that I should modify the new config to match on this line, and will be putting the new database in this directory. This is what the new config states:
Quote:
directory /usr/local/var/openldap-data
As there is not currently a openldap-ldbm directory, I would have to create it as well. Would this be the best course of action, or would it be better to import the database into the existing directory and leave this line in the new config as it stands?

Quote:
#cache
cachesize 10000000
dbcachesize 100000000
timelimit 180000

# Indices to maintain
#index default eq
index objectClass pres,eq
index cn,rccd,cmac,mail,uid,clientClass,class pres,eq
index uidNumber,gidNumber,userPassword pres,eq
index mailLocalAddress,mailRoutingAddress,accountStatus pres,eq
index mailAlternateAddress pres,eq

#define a replica
replogfile /usr/local/var/openldap/slapd.replog
replica host= <snip>
binddn="cn=Manager,dc=bcs,dc=com"
bindmethod=simple credentials=<snip>
As these lines are not in the new config at all, would it be appropriate to add them in? Once I get through the process of setting up the config, I will probably also need some direction on a good way to actually move the database. Some of the recommendations I've seen for backup/restoration are utilities like slapcat, ldapbackup, etc. I haven't researched this part as thoroughly, but if anyone has any suggestions on where to direct my research on "phase 2" that would also be much appreciated.

Thanks to anyone that's read through all this - I know it's pretty darn long.
 
Old 05-11-2007, 07:11 AM   #2
kstan
Member
 
Registered: Sep 2004
Location: Malaysia, Johor
Distribution: Dual boot MacOS X/Ubuntu 9.10
Posts: 851

Rep: Reputation: 31
Hi Xera,
I'm not too strong in ldap but I try my best to help you.
And, to avoid the inconsistency of your database. Better don't copy/paste your data directly into new server.
you can use jxplorer to import/export your ldap database. However are you sure you need qmail/sendmail/radius schema? What services your server running?

Finally, please don't use fedora core 6 as your server. Since it is mission critical server it is better you use centos4(or 5), it 99% same with RedHat4

Regarsd,
Ks
 
Old 05-21-2007, 05:02 PM   #3
Xera
LQ Newbie
 
Registered: Oct 2006
Location: NW Ohio
Distribution: RHEL 4
Posts: 8

Original Poster
Rep: Reputation: 0
Thanks for the input. Sorry it took me so long to get back to you. I understand your suggestion to not just copy over the database, I could see a number of issues that would result given that we're changing the version of OS as well as the version of OpenLDAP. I will include jxplorer in my research to migrate the database.

We're not running any of those services on this box (which is what prompted my concern), although we do have a separate Radius server, so the RADIUS-LDAPv3.schema might be necessary. I'll see if that file is viewable, perhaps. Then I could see if maybe it's pointing to the IP of our Radius server or if it's just for local stuff.

Unfortunately, I don't have much say in the version OS we use. We're primarily using either windoze or Core as the operating systems on our servers here, and I'd really need to be able to back up a request to dive into another OS at this time. (Even if it is just another Linux distro.)

Tonight I'm going to try to slog through some LDAP tutorials and see if I get any more answers, but if there's anyone out there that knows more, I'd REALLY appreciate any feedback you could give me.
 
Old 05-21-2007, 08:32 PM   #4
kstan
Member
 
Registered: Sep 2004
Location: Malaysia, Johor
Distribution: Dual boot MacOS X/Ubuntu 9.10
Posts: 851

Rep: Reputation: 31
if you are not host the radius services in this server, i think the radius schema is not necessary. If this server only host simple ldap services (like userinfo, addressbook), then

include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema

is more than enough.

Setting up whatever server just base on your need.
Centos is free, open source version of redhat, strongly recommend u to try rather than use the fc.
regards,
Ks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
authenticating through one ldap server that uses other ldap servers & active director dreamm Linux - Server 1 02-21-2007 09:22 AM
LXer: LDAP: Replacing Exchange Revisited LXer Syndicated Linux News 0 01-30-2007 05:33 AM
LXer: LDAP Series Part IV - Installing OpenLDAP on Debian Plus Some LDAP Commentary LXer Syndicated Linux News 0 10-31-2006 07:54 PM
-current & gware: openldap version differs merchtemeagle Slackware 2 05-02-2006 07:02 PM
LDAP and OpenLDAP subaruwrx Linux - Networking 25 08-06-2004 10:31 PM


All times are GMT -5. The time now is 12:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration