Ubuntu Server Guide

Merge lp:~ahasenack/serverguide/default-backend-is-mdb-1689649 into lp:serverguide/trunk

  1. default-backend-is-mdb-1689649
  2. Merge into trunk
Proposed by Andreas Hasenack
Status: Merged
Approved by: Doug Smythies
Approved revision: 332
Merged at revision: 322
Proposed branch: lp:~ahasenack/serverguide/default-backend-is-mdb-1689649
Merge into: lp:serverguide/trunk
Diff against target: 320 lines (+47/-62)
1 file modified
serverguide/C/network-auth.xml (+47/-62)
To merge this branch: bzr merge lp:~ahasenack/serverguide/default-backend-is-mdb-1689649
Reviewer Review Type Date Requested Status
Doug Smythies Approve
Review via email: mp+323855@code.launchpad.net

Description of the change

Change references to HDB with references to MDB, since MDB is the default backend in openldap-server in xenial.

I tried to keep drive-by changes to a minimum here, and open new bugs where bigger changes were needed (like #1689809 for ACLs), but some changes were small enough to make here, mostly in command outputs:
- updated shown content of /etc/ldap/slapd.d
- removed note about bug #1689809 since it's fixed already
- in the example that adds an index, changed the index from "uid" to "mail", since an index for the uid attribute is already created by default when the package is installed
- changed the output of the ldpasearch command that shows the existing indexes, because the slapd package now installs some indexes by default
- when adding the corba schema, changed the output of the commands because we now get a different index number for it

The replication section had a few more changes because of the switch to MDB:
- the apparmor changes and restarts are no longer needed (I tested it)
- the MDB database/backend doesn't require a DB_CONFIG file, so the instructions to copy it over to the accesslog directory were removed

Finally, I changed the indentation of the olcSyncRepl attribute contents to start with two spaces instead of one. It's easier to show why than to explain:

This:
foobar: this is a line
 continuation

If there is no whitespace after the word "line" above, this becomes:
foobar: this is a linecontinuation

It's a very easy and confusing mistake to make when one copies and pastes blocks of text from documentation, because the ending whitespace in the line above doesn't show. The error looks like (missing whitespace just before credentials):
 additional info: Error: parse_syncrepl_line: unable to parse "binddn="cn=admin,dc=example,dc=com"credentials=secret searchbase=dc=example,dc=com"

To post a comment you must log in.
Revision history for this message
Doug Smythies (dsmythies) wrote :

O.K. thanks again.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'serverguide/C/network-auth.xml'
--- serverguide/C/network-auth.xml 2017-05-09 23:10:32 +0000
+++ serverguide/C/network-auth.xml 2017-05-10 14:07:57 +0000
@@ -225,19 +225,19 @@
225<screen>225<screen>
226<computeroutput>226<computeroutput>
227 /etc/ldap/slapd.d/227 /etc/ldap/slapd.d/
228 /etc/ldap/slapd.d/cn=config.ldif
228 /etc/ldap/slapd.d/cn=config229 /etc/ldap/slapd.d/cn=config
229 /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif
230 /etc/ldap/slapd.d/cn=config/cn=schema230 /etc/ldap/slapd.d/cn=config/cn=schema
231 /etc/ldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif
231 /etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif232 /etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif
232 /etc/ldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif
233 /etc/ldap/slapd.d/cn=config/cn=schema/cn={2}nis.ldif233 /etc/ldap/slapd.d/cn=config/cn=schema/cn={2}nis.ldif
234 /etc/ldap/slapd.d/cn=config/cn=schema/cn={3}inetorgperson.ldif234 /etc/ldap/slapd.d/cn=config/cn=schema/cn={3}inetorgperson.ldif
235 /etc/ldap/slapd.d/cn=config/cn=schema.ldif235 /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif
236 /etc/ldap/slapd.d/cn=config/olcBackend={0}hdb.ldif
237 /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif236 /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
238 /etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif237 /etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
239 /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif238 /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif
240 /etc/ldap/slapd.d/cn=config.ldif239 /etc/ldap/slapd.d/cn=config/olcBackend={0}mdb.ldif
240 /etc/ldap/slapd.d/cn=config/cn=schema.ldif
241</computeroutput>241</computeroutput>
242</screen>242</screen>
243243
@@ -254,12 +254,6 @@
254 This is what the slapd-config DIT looks like via the LDAP protocol:254 This is what the slapd-config DIT looks like via the LDAP protocol:
255 </para>255 </para>
256256
257<caution>
258 <para>
259 On Ubuntu server 14.10, and possibly higher, the following command may not work due to a <ulink url="https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1392018">bug</ulink>
260 </para>
261</caution>
262
263<screen>257<screen>
264<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn</command>258<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn</command>
265<computeroutput>259<computeroutput>
@@ -277,13 +271,13 @@
277271
278dn: cn={3}inetorgperson,cn=schema,cn=config272dn: cn={3}inetorgperson,cn=schema,cn=config
279273
280dn: olcBackend={0}hdb,cn=config274dn: olcBackend={0}mdb,cn=config
281275
282dn: olcDatabase={-1}frontend,cn=config276dn: olcDatabase={-1}frontend,cn=config
283277
284dn: olcDatabase={0}config,cn=config278dn: olcDatabase={0}config,cn=config
285279
286dn: olcDatabase={1}hdb,cn=config280dn: olcDatabase={1}mdb,cn=config
287</computeroutput>281</computeroutput>
288</screen>282</screen>
289283
@@ -337,7 +331,7 @@
337331
338 <listitem>332 <listitem>
339 <para>333 <para>
340 <emphasis>olcBackend={0}hdb,cn=config</emphasis>: the 'hdb' backend storage type334 <emphasis>olcBackend={0}mdb,cn=config</emphasis>: the 'mdb' backend storage type
341 </para>335 </para>
342 </listitem>336 </listitem>
343337
@@ -355,7 +349,7 @@
355349
356 <listitem>350 <listitem>
357 <para>351 <para>
358 <emphasis>olcDatabase={1}hdb,cn=config</emphasis>: your database instance (dc=examle,dc=com)352 <emphasis>olcDatabase={1}mdb,cn=config</emphasis>: your database instance (dc=example,dc=com)
359 </para>353 </para>
360 </listitem>354 </listitem>
361 355
@@ -559,14 +553,14 @@
559553
560 <listitem>554 <listitem>
561 <para>555 <para>
562 Use <application>ldapmodify</application> to add an "Index" (DbIndex attribute) to your <application>{1}hdb,cn=config</application>556 Use <application>ldapmodify</application> to add an "Index" (DbIndex attribute) to your <application>{1}mdb,cn=config</application>
563 database (dc=example,dc=com). Create a file, call it <filename>uid_index.ldif</filename>, with the following contents: 557 database (dc=example,dc=com). Create a file, call it <filename>uid_index.ldif</filename>, with the following contents:
564 </para>558 </para>
565559
566<programlisting>560<programlisting>
567dn: olcDatabase={1}hdb,cn=config561dn: olcDatabase={1}mdb,cn=config
568add: olcDbIndex562add: olcDbIndex
569olcDbIndex: uid eq,pres,sub563olcDbIndex: mail eq,sub
570</programlisting>564</programlisting>
571565
572 <para>566 <para>
@@ -576,7 +570,7 @@
576<screen>570<screen>
577<command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f uid_index.ldif</command>571<command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f uid_index.ldif</command>
578<computeroutput>572<computeroutput>
579modifying entry "olcDatabase={1}hdb,cn=config"573modifying entry "olcDatabase={1}mdb,cn=config"
580</computeroutput>574</computeroutput>
581</screen>575</screen>
582576
@@ -586,11 +580,14 @@
586580
587<screen>581<screen>
588<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \582<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \
589cn=config '(olcDatabase={1}hdb)' olcDbIndex</command>583cn=config '(olcDatabase={1}mdb)' olcDbIndex</command>
590<computeroutput>584<computeroutput>
591dn: olcDatabase={1}hdb,cn=config585dn: olcDatabase={1}mdb,cn=config
592olcDbIndex: objectClass eq586olcDbIndex: objectClass eq
593olcDbIndex: uid eq,pres,sub587olcDbIndex: cn,uid eq
588olcDbIndex: uidNumber,gidNumber eq
589olcDbIndex: member,memberUid eq
590olcDbIndex: mail eq,sub
594</computeroutput>591</computeroutput>
595</screen>592</screen>
596593
@@ -681,7 +678,7 @@
681<screen>678<screen>
682<command>slapcat -f schema_convert.conf -F ldif_output -n 0 | grep corba,cn=schema</command>679<command>slapcat -f schema_convert.conf -F ldif_output -n 0 | grep corba,cn=schema</command>
683<computeroutput>680<computeroutput>
684cn={1}corba,cn=schema,cn=config681cn={2}corba,cn=schema,cn=config
685</computeroutput>682</computeroutput>
686</screen>683</screen>
687684
@@ -701,7 +698,7 @@
701698
702<screen>699<screen>
703<command>slapcat -f schema_convert.conf -F ldif_output -n0 -H \700<command>slapcat -f schema_convert.conf -F ldif_output -n0 -H \
704ldap:///cn={1}corba,cn=schema,cn=config -l cn=corba.ldif</command>701ldap:///cn={2}corba,cn=schema,cn=config -l cn=corba.ldif</command>
705</screen>702</screen>
706703
707 <para>704 <para>
@@ -889,7 +886,7 @@
889886
890<programlisting>887<programlisting>
891# Add indexes to the frontend db.888# Add indexes to the frontend db.
892dn: olcDatabase={1}hdb,cn=config889dn: olcDatabase={1}mdb,cn=config
893changetype: modify890changetype: modify
894add: olcDbIndex891add: olcDbIndex
895olcDbIndex: entryCSN eq892olcDbIndex: entryCSN eq
@@ -907,10 +904,10 @@
907olcModuleLoad: accesslog904olcModuleLoad: accesslog
908905
909# Accesslog database definitions906# Accesslog database definitions
910dn: olcDatabase={2}hdb,cn=config907dn: olcDatabase={2}mdb,cn=config
911objectClass: olcDatabaseConfig908objectClass: olcDatabaseConfig
912objectClass: olcHdbConfig909objectClass: olcMdbConfig
913olcDatabase: {2}hdb910olcDatabase: {2}mdb
914olcDbDirectory: /var/lib/ldap/accesslog911olcDbDirectory: /var/lib/ldap/accesslog
915olcSuffix: cn=accesslog912olcSuffix: cn=accesslog
916olcRootDN: cn=admin,dc=example,dc=com913olcRootDN: cn=admin,dc=example,dc=com
@@ -918,7 +915,7 @@
918olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart915olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
919916
920# Accesslog db syncprov.917# Accesslog db syncprov.
921dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config918dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
922changetype: add919changetype: add
923objectClass: olcOverlayConfig920objectClass: olcOverlayConfig
924objectClass: olcSyncProvConfig921objectClass: olcSyncProvConfig
@@ -927,7 +924,7 @@
927olcSpReloadHint: TRUE924olcSpReloadHint: TRUE
928925
929# syncrepl Provider for primary db926# syncrepl Provider for primary db
930dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config927dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
931changetype: add928changetype: add
932objectClass: olcOverlayConfig929objectClass: olcOverlayConfig
933objectClass: olcSyncProvConfig930objectClass: olcSyncProvConfig
@@ -935,7 +932,7 @@
935olcSpNoPresent: TRUE932olcSpNoPresent: TRUE
936933
937# accesslog overlay definitions for primary db934# accesslog overlay definitions for primary db
938dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config935dn: olcOverlay=accesslog,olcDatabase={1}mdb,cn=config
939objectClass: olcOverlayConfig936objectClass: olcOverlayConfig
940objectClass: olcAccessLogConfig937objectClass: olcAccessLogConfig
941olcOverlay: accesslog938olcOverlay: accesslog
@@ -953,36 +950,24 @@
953 </step>950 </step>
954951
955 <step>952 <step>
956 <para>953
957 The <application>apparmor</application> profile for slapd will not need to be adjusted for the 954 <para>
958 accesslog database location since <filename>/etc/apparmor.d/local/usr.sbin.slapd</filename> contains:955 Create a directory:
959 </para>
960
961<programlisting>
962/var/lib/ldap/ r,
963/var/lib/ldap/** rwk,
964</programlisting>
965
966 <para>
967 Create a directory, set up a databse config file, and reload the apparmor profile:
968 </para>956 </para>
969957
970<screen>958<screen>
971<command>sudo -u openldap mkdir /var/lib/ldap/accesslog</command>959<command>sudo -u openldap mkdir /var/lib/ldap/accesslog</command>
972<command>sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog</command>
973<command>sudo systemctl reload apparmor.service</command>
974</screen>960</screen>
975961
976 </step>962 </step>
977963
978 <step>964 <step>
979 <para>965 <para>
980 Add the new content and, due to the apparmor change, restart the daemon:966 Add the new content:
981 </para>967 </para>
982968
983<screen>969<screen>
984<command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif</command>970<command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif</command>
985<command>sudo systemctl restart slapd.service</command>
986</screen>971</screen>
987972
988 </step>973 </step>
@@ -1007,7 +992,7 @@
1007 <step>992 <step>
1008 <para>993 <para>
1009 Install the software by going through <xref linkend="openldap-server-installation"/>. Make sure the slapd-config994 Install the software by going through <xref linkend="openldap-server-installation"/>. Make sure the slapd-config
1010 databse is identical to the Provider's. In particular, make sure schemas and the databse suffix are the same.995 database is identical to the Provider's. In particular, make sure schemas and the databse suffix are the same.
1011 </para>996 </para>
1012 </step>997 </step>
1013998
@@ -1022,16 +1007,16 @@
1022add: olcModuleLoad1007add: olcModuleLoad
1023olcModuleLoad: syncprov1008olcModuleLoad: syncprov
10241009
1025dn: olcDatabase={1}hdb,cn=config1010dn: olcDatabase={1}mdb,cn=config
1026changetype: modify1011changetype: modify
1027add: olcDbIndex1012add: olcDbIndex
1028olcDbIndex: entryUUID eq1013olcDbIndex: entryUUID eq
1029-1014-
1030add: olcSyncRepl1015add: olcSyncRepl
1031olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=admin,dc=example,dc=com" 1016olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=admin,dc=example,dc=com"
1032 credentials=secret searchbase="dc=example,dc=com" logbase="cn=accesslog" 1017 credentials=secret searchbase="dc=example,dc=com" logbase="cn=accesslog"
1033 logfilter="(&amp;(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on 1018 logfilter="(&amp;(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
1034 type=refreshAndPersist retry="60 +" syncdata=accesslog1019 type=refreshAndPersist retry="60 +" syncdata=accesslog
1035-1020-
1036add: olcUpdateRef1021add: olcUpdateRef
1037olcUpdateRef: ldap://ldap01.example.com1022olcUpdateRef: ldap://ldap01.example.com
@@ -1148,15 +1133,15 @@
1148 To get the effective ACL for an LDAP query we need to look at the ACL entries of the database being queried as well as those of the1133 To get the effective ACL for an LDAP query we need to look at the ACL entries of the database being queried as well as those of the
1149 special frontend database instance. The ACLs belonging to the latter act as defaults in case those of the former do not match. The1134 special frontend database instance. The ACLs belonging to the latter act as defaults in case those of the former do not match. The
1150 frontend database is the second to be consulted and the ACL to be applied is the first to match ("first match wins") among these 21135 frontend database is the second to be consulted and the ACL to be applied is the first to match ("first match wins") among these 2
1151 ACL sources. The following commands will give, respectively, the ACLs of the hdb database ("dc=example,dc=com") and those of the1136 ACL sources. The following commands will give, respectively, the ACLs of the mdb database ("dc=example,dc=com") and those of the
1152 frontend database:1137 frontend database:
1153 </para>1138 </para>
11541139
1155<screen>1140<screen>
1156<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \1141<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \
1157cn=config '(olcDatabase={1}hdb)' olcAccess</command>1142cn=config '(olcDatabase={1}mdb)' olcAccess</command>
1158<computeroutput>1143<computeroutput>
1159dn: olcDatabase={1}hdb,cn=config1144dn: olcDatabase={1}mdb,cn=config
1160olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous1145olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous
1161 auth by dn="cn=admin,dc=example,dc=com" write by * none1146 auth by dn="cn=admin,dc=example,dc=com" write by * none
1162olcAccess: {1}to dn.base="" by * read1147olcAccess: {1}to dn.base="" by * read
@@ -1662,7 +1647,7 @@
1662 </para>1647 </para>
16631648
1664<programlisting>1649<programlisting>
1665dn: olcDatabase={1}hdb,cn=config1650dn: olcDatabase={1}mdb,cn=config
1666replace: olcSyncRepl1651replace: olcSyncRepl
1667olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple1652olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple
1668 binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com"1653 binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com"
@@ -3592,11 +3577,11 @@
3592<screen>3577<screen>
3593<command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///</command>3578<command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///</command>
3594<computeroutput>3579<computeroutput>
3595<userinput>dn: olcDatabase={1}hdb,cn=config3580<userinput>dn: olcDatabase={1}mdb,cn=config
3596add: olcDbIndex3581add: olcDbIndex
3597olcDbIndex: krbPrincipalName eq,pres,sub</userinput>3582olcDbIndex: krbPrincipalName eq,pres,sub</userinput>
35983583
3599modifying entry "olcDatabase={1}hdb,cn=config"</computeroutput>3584modifying entry "olcDatabase={1}mdb,cn=config"</computeroutput>
3600</screen>3585</screen>
3601 3586
3602 </step>3587 </step>
@@ -3609,7 +3594,7 @@
3609<screen>3594<screen>
3610<command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///</command>3595<command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///</command>
3611<computeroutput>3596<computeroutput>
3612<userinput>dn: olcDatabase={1}hdb,cn=config3597<userinput>dn: olcDatabase={1}mdb,cn=config
3613replace: olcAccess3598replace: olcAccess
3614olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by3599olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by
3615 dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none3600 dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
@@ -3620,7 +3605,7 @@
3620add: olcAccess3605add: olcAccess
3621olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read</userinput>3606olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read</userinput>
36223607
3623modifying entry "olcDatabase={1}hdb,cn=config"3608modifying entry "olcDatabase={1}mdb,cn=config"
3624</computeroutput>3609</computeroutput>
3625</screen>3610</screen>
3626 3611

Subscribers

People subscribed via source and target branches