General Upgrade Procedures

Generally, you can add a node to an LDAP cluster without taking down the LDAP environment. A server with SOLD 2.4 will replicate with a SOLD 2.6 server, but this should only be temporary. The following scenario is for updating/upgrading during a maintenance window.  

Change dc=example,dc=com to the root suffix of your environment.

Update Current Configuration

1. Backup the current configuration and database

For nodes using a dynamic configuration (slapd.d)

slapcat -n 0 -l /tmp/slapd24.config.ldif

cp slapd24-config.ldif slapd26-config.ldif

For nodes using a static configuration (slapd.conf)

cp slapd.conf slapd.conf.26

Backup of the current database

slapcat -b dc=example,dc=com -l /tmp/database.ldif

2. Uninstall the OpenLDAP 2.4 server and client binaries. Perform this step if you are doing an “in place” upgrade.

  ​    a. For Symas OpenLDAP Gold, remove symas-openldap-gold.

  ​    b. For RHEL Symas OpenLDAP for Linux, remove symas-openldap-clients symas-openldap-servers

3. To modify the existing configuration for SOLD 2.6, update the following lines:

General Updates

Dynamic Config

olcArgsFile: /var/symas/run/slapd.args
olcPidFile: /var/symas/run/slapd.pid
olcModulePath: /opt/symas/lib/openldap

Static Config

pidfile         /var/symas/run/slapd.pid
argsfile        /var/symas/run/slapd.args
modulepath      /opt/symas/lib/openldap 

If Using Multival

Dynamic Config

olcDbMultival: default 50,10

Static Config

multival default 50,10

If Using ppolicy

If the ppolicy (not ppolicy10) overlay is in use, then the ppolicy schema must be removed from the configuration file.

If Using ppolicy10

If the ppolicy10 (not ppolicy) overlay is in use, then all references to "ppolicy10" must be changed to "ppolicy" in the configuration file.

If Using pwdPolicyCheckModule

Update ppolicy entries by adding pwdPolicyUseCheckModule: TRUE and removing "pwdCheckModule" attribute.

If Using OTP_2FA overlay

Any reference to "otp_2fa" in the configuration file must be replaced with "otp."

If Using remoteauth With TLS handling

remoteauth_tls_pin was renamed to remoteauth_tls_peerkey_hash.

The individual TLS configuration variables:

remoteauth_cacert_dir 
remoteauth_cacert_file 
remoteauth_starttls 
remoteauth_validate_certs

Are replaced with a single keyword:

remoteauth_tls

If Using pw-argon2.la

Replaced pw-argon2.la with argaon2.la

Configuring LDAP server

Install Symas OpenLDAP on RHEL 8 Server

1. 

wget -q https://repo.symas.com/configs/SOLDAP/rhel8/release26.repo -O /etc/yum.repos.d/soldap-release26.repo

2. 

dnf update

3. 

dnf install symas-openldap-clients symas-openldap-servers

If you are performing an “in place” upgrade and logging is already enabled, skip to Setup OpenLDAP Environment.

Configure slapd Log and Rotation

Method 1

1. Add log values to slapd.conf

vi /opt/symas/etc/openldap/slapd.conf

Recommended Settings

logfile /var/log/slapd.log
logfile-format syslog-utc
logfile-only on 
logfile-rotate 7 1000 24 

More information can be found here: https://www.openldap.org/software/man.cgi?query=slapd.conf&manpath=OpenLDAP+2.6-Release.

Method 2

1. Modify rsyslog.conf to redirect slapd messages to slapd.log

vi /etc/rsyslog.conf

Save slapd/solserver messages to slapd.log:

local4.*                        -/var/log/slapd.log 

2. Create the slapd.log file

touch /var/log/slapd.log

3. Restart the rsyslog service

​systemctl restart rsyslog.service

4. Create the log rotation configuration file

vi /etc/logrotate.d/slapd

/var/log/slapd.log    
      
  {    
    rotate 7    
    daily    
    missingok    
    notifempty    
    compress    
    postrotate    
      /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true    
    endscript    
  }

Setup OpenLDAP Environment

Configure First Provider/Master

1. Create the main database directory, accesslog directory and configuration directory. Replace example and dc=example,dc=com with the your environment variables.

mkdir -p /var/symas/openldap-data/example
mkdir -p /var/symas/openldap-data/accesslog
mkdir -p /opt/symas/etc/openldap/slapd.d

The last line, mkdir -p /opt/symas/etc/openldap/slapd.d, is for an environment using a dynamic configuration

2. Sometimes it is necessary to provide more resources to the slapd process to override system limitations. Most commonly this is the number of file descriptors available to the process. The following is an example of how this is done with Symas OpenLDAP 2.6.

mkdir -p /etc/systemd/system/symas-openldap-server.service.d

3. Create the file override.conf

vi /etc/systemd/system/symas-openldap-server.service.d/override.conf

4. Add the following (The following content will allow the slapd process to have up to approximately 524,000 active connections):

[Service]    
LimitNOFILE=524288

5. The systemd daemon must be reloaded for this to take effect:

sudo systemctl daemon-reload

6. By default, the slapd process will run as the root user and listen on ldap:/// and ldapi:///. To change these settings requires making a systemd override file:

vi edit /etc/default/symas-openldap

SLAPD_URLS="ldap:/// ldaps:/// ldapi:///"

Options that can be overridden:
       SLAPD_URLS - URLS to listen on    
       SLAPD_OPTIONS - Additional options to pass to slapd, including user and group

For example, to listen on the ldap, ldaps, and ldapi ports and socket:

SLAPD_URLS="ldap:/// ldaps:/// ldapi:///"

To run as the user and group ldap:

SLAPD_OPTIONS="-u ldap -g ldap"

7. Load the configuration file to the environment:

Dynamic Configuration:

​slapadd -F /opt/symas/etc/openldap/slapd.d -n 0 -l /tmp/slapd26-config.ldif

​Static Configuration:

cp slapd.conf.26 /opt/symas/etc/openldap/slapd.conf

8. Load the database:

​slapadd -q -F /opt/symas/etc/openldap/slapd.d -b dc=example,dc=com -l /tmp/database.ldif

9. Start the slapd service:

systemctl start slapd

10. Perform a `slapcat` of database that will be loaded on the next server.

slapcat -b dc=example,dc=com -l /tmp/db_backup.ldif

Please note: the 'olcServerID' must be unique on all provider/master servers.

If the data needs to be validated then use the slapadd command with the proper -o options, example:

/opt/symas/bin/slapadd -o schema-check=yes -o value-check=yes -b dc=example,dc=com -l database.ldif

This will significantly increase the database load time, but will perform more data integrity checks. This will avoid replication issues.

Configure Second Provider/Master

1. Perform steps 1 through 7 from the Configure First Provider/Master section.

2. Make sure that the appropriate changes have been made to the configuration.

  a. olcServerID / serverID must be unique.

  b. olcTLSCertificateFile / TLSCertificateFile and olcTLSCertificateKeyFile / TLSCertificateKeyFile  must use server appropriate certificate.

  c. olcSyncrepl / syncrepl stanza must have the correct server(s) listed.

4. Load the database that was created in the previous section (Step 10 in Configure First Provider/Master):

slapadd -q -b  dc=example,d=com -l /tmp/db_backup.ldif

5. Start the slapd service.

6. Verify that the servers are replicating by making a change on both, and verify those changes are reflected on each server.

Configure Replica(s)/Slave(s)

1. Perform steps 1 through 7 from the Configure First Provider/Master section

2. Make sure that the appropriate changes have been made to the configuration:

  a. olcTLSCertificateFile / TLSCertificateFile and olcTLSCertificateKeyFile / TLSCertificateKeyFile  must use server appropriate certificate.

  b. olcSyncrepl / syncrepl stanza must have the correct server(s) listed.

3. Load the database that was created in the previous section (Step 10 in Configure First Provider/Master):

slapadd -q -b  dc=example,d=com -l /tmp/db_backup.ldif

4. Start the slapd service.

5. Verify that the servers are replicating by making a change on a provider, and verifying the data is correct on the replica/slave.