Symas OpenLDAP Knowledge Base

Symas OpenLDAP Gold, Silver, and Symas OpenLDAP for Linux Discontinued

With the release of OpenLDAP v2.5/6, development of OpenLDAP v2.4 has ceased. Version 2.4.59 is the final release of the 2.4 stream. OpenLDAP 2.5 is fully binary compatible with OpenLDAP 2.4. Generally, the LDAP Database does not need to be reloaded (see this list of exceptions when we find them :-O). No configuration changes.

Starting with OpenLDAP v2.5 Symas has discontinued distribution of the Symas OpenLDAP Gold, Silver, and Symas OpenLDAP for Linux (SOFL) packages. In their place, Symas now produces a single package freely available for all users. The current Symas OpenLDAP package is now “symas-openldap”. The new symas-openldap package contains everything from Symas OpenLDAP Gold and SOFL. It includes all advanced features that were exclusive to Symas OpenLDAP Gold as well as the new features.

What’s Different?

The OpenLDAP Project has changed its Support Policy. Formerly, only the most recent Release received Project Support (fixes and updates). Now, the Project will support Two releases, a Long Term Support Release and a current Feature Release.

The LTS release will receive fixes and updates related to the function present in its initial release. That support will continue for five years starting in January 2022. In three years (or sooner) the successor LTS Release will be announced so users can plan for an orderly upgrade.

The Feature Releases will be contain new function and enhancements to older function. Users choosing to adopt a Feature Release will receive support for that release until the next Feature Release becomes available. At that time, an upgrade should be made. OpenLDAP 2.7 is in development and will become the current Feature Release, obsoleting OpenLDAP 2.6, sometime later in 2022.

Installation Structure

For Symas OpenLDAP For Linux Users

Symas OpenLDAP Gold and Silver will see fewer differences between the older packages and symas-openldap. For information on upgrading see the upgrade information on the repository site.

The main difference between OFL and symas-openldap is the installation structure. The symas-openldap package if fully self-contained and installs everything (configuration, command line tools, dependencies) in the /opt/symas directory:

/opt
└── symas
    ├── bin          (user-level commands)
    ├── etc
    │   └── openldap (configuration, schema)
    ├── lib          (slapd)
    │   └── openldap (overlays/modules)
    ├── sbin         (administrative commands)
    ├── share
    │   ├── man      (manual pages)
    │   └── symas    (demo scripts)
    └── ssl          (certificate storage)

The advantage of the self-contained installation is that system/OS updates will never overwrite symas-openldap’s dependencies (OpenSSL, for example).

Slapd Configuration

Your slapd runtime configuration will need some changes to work with symas-openldap:

  • The include path to the standard schema files is now “/opt/symas/etc/openldap/schema”

  • If ppolicy is being used, the ppolicy schema must be removed from slapd.conf/cn=config

  • slapd.conf/cn=config need to have the “pidfile/olcPidFile” path adjusted to /var/symas/run

  • slapd.conf/cn=config need to have the “argsfile/olcArgsFile” path adjusted to /var/symas/run

  • slapd.conf/cn=config need to have he modulepath/olcModulePath adjusted to “/opt/symas/lib/openldap”

  • If using a multi-provider replication environment, the “mirrormode/olcMirrorMode” keyword needs to be adjusted to “multiprovider/olcMultiProvider”

  • If multival(hi/lo) feature is in use, the keyword needs to be changed to “multival/olcMultiVal” and the configuration must be updated for the 2.5 syntax and set the “default” keyword:

    # Old slapd.conf settings:
multivallo 10
multivalhi 50

# New slapd.conf setting:
multival default 50,10

# Old cn=config settings:
olcMultiValLo: 10
olcMultiValHi: 50

# New cn=config setting:
olcMultiVal: default 50,10

The slapd startup configuration (USER, GROUP, EXTRA_SLAPD_ARGS) is now located in /etc/default/symas-openldap.

Utilities

The path to online LDAP command line utilities (ldapsearch, ldapadd, etc.) are now located in /opt/symas/bin.

The path to offline slapd command line utilities (slapadd, slapcat, etc.) are now located in /opt/symas/sbin.

The symas-openldap package contains several utilities for working with LMDB databases:

  • mdb_stat - Gets the status of LMDB databases
  • mdb_copy - Makes a safe copy of LMDB databases with optional compaction

Logging

The symas-openldap package includes enhanced logging, which provides elapsed execution time (etime) for all LDAP operations

The 2.6.x packages includes a new local logging feature:

  • Slapd log entries are written directly to file, bypassing rsyslog and its performance penalties
  • Log rotation is built in and configurable
  • Timestamp formats are configurable

More Information

For more information on upgrading to Symas OpenLDAP versions 2.5 or 2.6, see https://repo.symas.com/soldap2.5/upgrading/