openldap/doc/guide/admin/appendix-upgrading.sdf

# $OpenLDAP$
# Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.

H1: Upgrading from 2.3.x

The following sections attempt to document the steps you will need to take in order 
to upgrade from the latest 2.3.x OpenLDAP version.

The normal upgrade procedure, as discussed in the {{SECT:Maintenance}} section, should 
of course still be followed prior to doing any of this.

H2: Monitor Backend

Note: This is a temporary requirement and is subject to change over the next 2.4.x beta release cycle

A monitor ({{slapd-monitor(5)}}) now needs a {{rootdn}} entry. If you do not have
one, {{slapd}} will fail to start up with an error message like so:

>           monitor_back_register_entry_attrs(""): base="cn=databases,cn=monitor" scope=one
>           filter="(namingContexts:distinguishedNameMatch:=dc=example,dc=com)": unable to find entry
>           backend_startup_one: bi_db_open failed! (1)
>           slap_startup failed (test would succeed using the -u switch)

Here is a complete {{database monitor}} example:


>           database monitor
>           rootdn cn=monitor
>           rootpw change_me


H2: {{B:cn=config}} olc* attributes

Quite a few {{olc*}} attributes have now become obsolete, if you see in your logs 
entries like below, just remove them from the relevant ldif file.

>           olcReplicationInterval: value #0: <olcReplicationInterval> keyword is obsolete (ignored)

H2: ACLs: searches require privileges on the search base

Search operations now require "search" privileges on the "entry" pseudo-attribute of the search
base. While upgrading from 2.3.x, make sure your ACLs grant such privileges to all desired search
bases.

For example, assuming you have the following ACL:

>           access to dn.sub="ou=people,dc=example,dc=com" by * search

Searches using a base of "dc=example,dc=com" will only be allowed if you add the following ACL:

>           access to dn.base="dc=example,dc=com" attrs=entry by * search

Note: The {{slapd.access}}(5) man page states that this requirement was introduced
with OpenLDAP 2.3. However, it is the default behavior only since 2.4.


ADD MORE HERE
Upgrading from 2.3.x Appendix added. Please comment. 2007-09-04 06:59:36 +08:00			`# $OpenLDAP$`
Update copyright notices 2009-01-22 08:40:04 +08:00			`# Copyright 2007-2009 The OpenLDAP Foundation, All Rights Reserved.`
Upgrading from 2.3.x Appendix added. Please comment. 2007-09-04 06:59:36 +08:00			`# COPYING RESTRICTIONS APPLY, see COPYRIGHT.`

			`H1: Upgrading from 2.3.x`

			`The following sections attempt to document the steps you will need to take in order`
			`to upgrade from the latest 2.3.x OpenLDAP version.`

			`The normal upgrade procedure, as discussed in the {{SECT:Maintenance}} section, should`
			`of course still be followed prior to doing any of this.`

			`H2: Monitor Backend`

			`Note: This is a temporary requirement and is subject to change over the next 2.4.x beta release cycle`

			`A monitor ({{slapd-monitor(5)}}) now needs a {{rootdn}} entry. If you do not have`
			`one, {{slapd}} will fail to start up with an error message like so:`

			`> monitor_back_register_entry_attrs(""): base="cn=databases,cn=monitor" scope=one`
			`> filter="(namingContexts:distinguishedNameMatch:=dc=example,dc=com)": unable to find entry`
			`> backend_startup_one: bi_db_open failed! (1)`
			`> slap_startup failed (test would succeed using the -u switch)`

			`Here is a complete {{database monitor}} example:`


			`> database monitor`
			`> rootdn cn=monitor`
			`> rootpw change_me`


			`H2: {{B:cn=config}} olc* attributes`

			`Quite a few {{olc*}} attributes have now become obsolete, if you see in your logs`
			`entries like below, just remove them from the relevant ldif file.`

			`> olcReplicationInterval: value #0: <olcReplicationInterval> keyword is obsolete (ignored)`

ITS#5512 Doc contribution for search privileges in 2.4 2008-05-16 05:35:13 +08:00			`H2: ACLs: searches require privileges on the search base`

			`Search operations now require "search" privileges on the "entry" pseudo-attribute of the search`
			`base. While upgrading from 2.3.x, make sure your ACLs grant such privileges to all desired search`
			`bases.`

			`For example, assuming you have the following ACL:`

			`> access to dn.sub="ou=people,dc=example,dc=com" by * search`

			`Searches using a base of "dc=example,dc=com" will only be allowed if you add the following ACL:`

			`> access to dn.base="dc=example,dc=com" attrs=entry by * search`

			`Note: The {{slapd.access}}(5) man page states that this requirement was introduced`
			`with OpenLDAP 2.3. However, it is the default behavior only since 2.4.`
Upgrading from 2.3.x Appendix added. Please comment. 2007-09-04 06:59:36 +08:00


			`ADD MORE HERE`