appendix-upgrading.sdf   [plain text]

# $OpenLDAP: pkg/openldap-guide/admin/appendix-upgrading.sdf,v 1.1.2.5 2008/05/20 00:17:58 quanah Exp $
# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.

H1: Upgrading from 2.3.x

The following sections attempt to document the steps you will need to take in order 
to upgrade from the latest 2.3.x OpenLDAP version.

The normal upgrade procedure, as discussed in the {{SECT:Maintenance}} section, should 
of course still be followed prior to doing any of this.

H2: Monitor Backend

Note: This is a temporary requirement and is subject to change over the next 2.4.x beta release cycle

A monitor ({{slapd-monitor(5)}}) now needs a {{rootdn}} entry. If you do not have
one, {{slapd}} will fail to start up with an error message like so:

>           monitor_back_register_entry_attrs(""): base="cn=databases,cn=monitor" scope=one
>           filter="(namingContexts:distinguishedNameMatch:=dc=example,dc=com)": unable to find entry
>           backend_startup_one: bi_db_open failed! (1)
>           slap_startup failed (test would succeed using the -u switch)

Here is a complete {{database monitor}} example:


>           database monitor
>           rootdn cn=monitor
>           rootpw change_me


H2: {{B:cn=config}} olc* attributes

Quite a few {{olc*}} attributes have now become obsolete, if you see in your logs 
entries like below, just remove them from the relevant ldif file.

>           olcReplicationInterval: value #0: <olcReplicationInterval> keyword is obsolete (ignored)

H2: ACLs: searches require privileges on the search base

Search operations now require "search" privileges on the "entry" pseudo-attribute of the search
base. While upgrading from 2.3.x, make sure your ACLs grant such privileges to all desired search
bases.

For example, assuming you have the following ACL:

>           access to dn.sub="ou=people,dc=example,dc=com" by * search

Searches using a base of "dc=example,dc=com" will only be allowed if you add the following ACL:

>           access to dn.base="dc=example,dc=com" attrs=entry by * search

Note: The {{slapd.access}}(5) man page states that this requirement was introduced
with OpenLDAP 2.3. However, it is the default behavior only since 2.4.



ADD MORE HERE