We're having intermittent issues with our current LDAP box appearing to stop responding. As a precautionary measure, my company has decided to simultaneously replace the server (to eliminate possibility of hardware issues) and upgrade to the latest version of OpenLDAP. I am feeling as though I seriously got in over my head (2 very basic RHEL training classes and a bit of fumbling are the only experience I've got) I've tried scanning through a few LDAP tutorials, and googled LDAP migrations, but the closest info I found was for upgrading on the same box from say, 2.1 to 2.2 or 2.2 to 2.3, and I'm concerned that by using a completely separate server, we've added additional considerations.
I've installed Fedora Core 6 on my new server (old one was running core 2), applied all the patches/updates, and done my best to ensure it's not responding on any unnecessary ports (no sendmail, cups, telnet, etc.) I've run the installation for the OpenLDAP software as per the quick-start guide I found here http://www.openldap.org/doc/admin23/quickstart.html
and there were no issues. I've gotten to step #8 - Editing the config file, and now I'm starting to have some questions.
After digging out the instructions for vi again (I can use remote desktop type stuff to get into X, but it's hideously choppy, so I'm using an ssh connection) I started making changes. Here's the slapd.conf from the production server with my questions inserted:
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 22.214.171.124 2001/09/27 20:00:31 kurt Exp $
I was initially informed that we're running version 2.2 something of LDAP. Does this actually indicate we're running an older version, and will that complicate this migration? (I'm wondering now if the person who told me that was confused about the version of Core vs. the version of LDAP software.)
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
None of the items in bold were listed in the new config. Some of these files are already in that directory, but the qmaildhcp.schema, sendmail.schema, and RADIUS-LDAPv3.schema are not. Does anyone have a link to a decent summary of what schema are (ldap man page didn't even mention them) so I can find out what these are for, and whether or not I need to copy them over, modify the existing ones, etc?
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
In the file I'm editing on the new server, these pathnames don't include "/var" I'm torn as to whether or not to change the paths listed so they match especially since I don't see a slapd.pid or slapd.args in either directory on the new server. (They are both in the appropriate directory on the old one.) Given the change in version, what would be the the best option: copy them from the existing server, or get them another way (are these files missing perhaps b/c I haven't finished the quick-start steps, like starting slapd?)
<snip> (removing a bunch of commented out stuff)
#suffix "o=My Organization Name,c=US"
#rootdn "cn=Manager,o=My Organization Name,c=US"
This bit varies from the new one... my understanding is that I should make the new one match the old one exactly - please let me know if this is patently incorrect.(following is what's in the new one, in case it matters):
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
I duplicated this pw in the new config.
# The database directory UST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
I am assuming (hate assuming) that I should modify the new config to match on this line, and will be putting the new database in this directory. This is what the new config states:
As there is not currently a openldap-ldbm directory, I would have to create it as well. Would this be the best course of action, or would it be better to import the database into the existing directory and leave this line in the new config as it stands?
# Indices to maintain
#index default eq
index objectClass pres,eq
index cn,rccd,cmac,mail,uid,clientClass,class pres,eq
index uidNumber,gidNumber,userPassword pres,eq
index mailLocalAddress,mailRoutingAddress,accountStatus pres,eq
index mailAlternateAddress pres,eq
#define a replica
replica host= <snip>
As these lines are not in the new config at all, would it be appropriate to add them in? Once I get through the process of setting up the config, I will probably also need some direction on a good way to actually move the database. Some of the recommendations I've seen for backup/restoration are utilities like slapcat, ldapbackup, etc. I haven't researched this part as thoroughly, but if anyone has any suggestions on where to direct my research on "phase 2" that would also be much appreciated.
Thanks to anyone that's read through all this - I know it's pretty darn long.