[Pkg-openldap-devel] OpenLDAP and cn=config.

Mathias Gug mathiaz at ubuntu.com
Tue Jun 3 03:45:14 UTC 2008 

Hi Matthijs,

On Mon, Jun 02, 2008 at 11:58:11PM +0200, Matthijs Mohlmann wrote:
> Mathias: I saw that you wrote the initial draft for Ubuntu, probably you
> have some suggestions here, so please go ahead. :)

I've written up a specification [1] that I hope to get accepted for
Intrepid (the next release of Ubuntu due next October).

[1]: https://wiki.ubuntu.com/OpenLdapCnConfigMigration

> Migrating from the current slapd.conf to cn=config requires some steps.
> I've seen the following that needs to be done:
> 
> - - Stop slapd
> - - Add 'database config' to the slapd.conf
>   Add 'rootdn cn=admin,cn=config'
>   Eventually: Add 'rootpw somesecret'
> 
> - - Create the slapd.d directory in /etc/ldap
> - - Set the appropriate permissions as slapd wants to read / write there.
> - - Convert the database with slaptest -f /etc/ldap/slapd.conf -F slapd.d
> - - Move the current slapd.conf to a backup file.
> - - Start slapd again.

That looks correct to me, although I haven't tested it yet.

> Questions:
> Should we ask the user what he wants ? I think the user needs a choice,
> does he want to use the cn=config feature or not.

Agreed. I'd ask a debconf question, defaulting to yes (ie accept the
migration).

> Should we create a backup first (databases and configuration). Yes I
> think so.
> 

Aren't the databases backuped on each upgrade by default ?

By configuration, do you mean a backup of the /etc/ldap/ directory or
just slapd.conf ?

> We need a fallback when the conversion to cn=config fails somehow. So
> falling back to the old behaviour with slapd.conf instead of cn=config
> is a good idea I think.
> 

Yes.

> I don't like the idea of adding 'rootpw somesecret' to the slapd.conf,
> maybe there is another way to set it. Quanah / Russ can you comment on
> this ?
> 

AFAIR you have to set a rootpw in slapd.conf in order to get slapd to
generate the configuration directory /etc/ldap/slapd.d/. Howard Chu
mentioned during a discussion at the Ubuntu Developer Summit that the
slapd.d directory won't be created if you don't set a username for the
config database. I haven't tested that either.


Are you planning to implement this change in lenny timeframe ?

Thanks,

-- 
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com

More information about the Pkg-openldap-devel mailing list