Ubuntu Server Guide

Merge lp:~ahasenack/serverguide/default-backend-is-mdb-1689649 into lp:serverguide/trunk

  1. default-backend-is-mdb-1689649
  2. Merge into trunk
Proposed by Andreas Hasenack
Status: Merged
Approved by: Doug Smythies
Approved revision: 332
Merged at revision: 322
Proposed branch: lp:~ahasenack/serverguide/default-backend-is-mdb-1689649
Merge into: lp:serverguide/trunk
Diff against target: 320 lines (+47/-62)
1 file modified
serverguide/C/network-auth.xml (+47/-62)
To merge this branch: bzr merge lp:~ahasenack/serverguide/default-backend-is-mdb-1689649
Reviewer Review Type Date Requested Status
Doug Smythies Approve
Review via email: mp+323855@code.launchpad.net

Description of the change

Change references to HDB with references to MDB, since MDB is the default backend in openldap-server in xenial.

I tried to keep drive-by changes to a minimum here, and open new bugs where bigger changes were needed (like #1689809 for ACLs), but some changes were small enough to make here, mostly in command outputs:
- updated shown content of /etc/ldap/slapd.d
- removed note about bug #1689809 since it's fixed already
- in the example that adds an index, changed the index from "uid" to "mail", since an index for the uid attribute is already created by default when the package is installed
- changed the output of the ldpasearch command that shows the existing indexes, because the slapd package now installs some indexes by default
- when adding the corba schema, changed the output of the commands because we now get a different index number for it

The replication section had a few more changes because of the switch to MDB:
- the apparmor changes and restarts are no longer needed (I tested it)
- the MDB database/backend doesn't require a DB_CONFIG file, so the instructions to copy it over to the accesslog directory were removed

Finally, I changed the indentation of the olcSyncRepl attribute contents to start with two spaces instead of one. It's easier to show why than to explain:

This:
foobar: this is a line
 continuation

If there is no whitespace after the word "line" above, this becomes:
foobar: this is a linecontinuation

It's a very easy and confusing mistake to make when one copies and pastes blocks of text from documentation, because the ending whitespace in the line above doesn't show. The error looks like (missing whitespace just before credentials):
 additional info: Error: parse_syncrepl_line: unable to parse "binddn="cn=admin,dc=example,dc=com"credentials=secret searchbase=dc=example,dc=com"

To post a comment you must log in.
Revision history for this message
Doug Smythies (dsmythies) wrote :

O.K. thanks again.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'serverguide/C/network-auth.xml'
2--- serverguide/C/network-auth.xml 2017-05-09 23:10:32 +0000
3+++ serverguide/C/network-auth.xml 2017-05-10 14:07:57 +0000
4@@ -225,19 +225,19 @@
5 <screen>
6 <computeroutput>
7 /etc/ldap/slapd.d/
8+ /etc/ldap/slapd.d/cn=config.ldif
9 /etc/ldap/slapd.d/cn=config
10- /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif
11 /etc/ldap/slapd.d/cn=config/cn=schema
12+ /etc/ldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif
13 /etc/ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif
14- /etc/ldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif
15 /etc/ldap/slapd.d/cn=config/cn=schema/cn={2}nis.ldif
16 /etc/ldap/slapd.d/cn=config/cn=schema/cn={3}inetorgperson.ldif
17- /etc/ldap/slapd.d/cn=config/cn=schema.ldif
18- /etc/ldap/slapd.d/cn=config/olcBackend={0}hdb.ldif
19+ /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif
20 /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
21 /etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
22- /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif
23- /etc/ldap/slapd.d/cn=config.ldif
24+ /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif
25+ /etc/ldap/slapd.d/cn=config/olcBackend={0}mdb.ldif
26+ /etc/ldap/slapd.d/cn=config/cn=schema.ldif
27 </computeroutput>
28 </screen>
29
30@@ -254,12 +254,6 @@
31 This is what the slapd-config DIT looks like via the LDAP protocol:
32 </para>
33
34-<caution>
35- <para>
36- On Ubuntu server 14.10, and possibly higher, the following command may not work due to a <ulink url="https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1392018">bug</ulink>
37- </para>
38-</caution>
39-
40 <screen>
41 <command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn</command>
42 <computeroutput>
43@@ -277,13 +271,13 @@
44
45 dn: cn={3}inetorgperson,cn=schema,cn=config
46
47-dn: olcBackend={0}hdb,cn=config
48+dn: olcBackend={0}mdb,cn=config
49
50 dn: olcDatabase={-1}frontend,cn=config
51
52 dn: olcDatabase={0}config,cn=config
53
54-dn: olcDatabase={1}hdb,cn=config
55+dn: olcDatabase={1}mdb,cn=config
56 </computeroutput>
57 </screen>
58
59@@ -337,7 +331,7 @@
60
61 <listitem>
62 <para>
63- <emphasis>olcBackend={0}hdb,cn=config</emphasis>: the 'hdb' backend storage type
64+ <emphasis>olcBackend={0}mdb,cn=config</emphasis>: the 'mdb' backend storage type
65 </para>
66 </listitem>
67
68@@ -355,7 +349,7 @@
69
70 <listitem>
71 <para>
72- <emphasis>olcDatabase={1}hdb,cn=config</emphasis>: your database instance (dc=examle,dc=com)
73+ <emphasis>olcDatabase={1}mdb,cn=config</emphasis>: your database instance (dc=example,dc=com)
74 </para>
75 </listitem>
76
77@@ -559,14 +553,14 @@
78
79 <listitem>
80 <para>
81- Use <application>ldapmodify</application> to add an "Index" (DbIndex attribute) to your <application>{1}hdb,cn=config</application>
82+ Use <application>ldapmodify</application> to add an "Index" (DbIndex attribute) to your <application>{1}mdb,cn=config</application>
83 database (dc=example,dc=com). Create a file, call it <filename>uid_index.ldif</filename>, with the following contents:
84 </para>
85
86 <programlisting>
87-dn: olcDatabase={1}hdb,cn=config
88+dn: olcDatabase={1}mdb,cn=config
89 add: olcDbIndex
90-olcDbIndex: uid eq,pres,sub
91+olcDbIndex: mail eq,sub
92 </programlisting>
93
94 <para>
95@@ -576,7 +570,7 @@
96 <screen>
97 <command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f uid_index.ldif</command>
98 <computeroutput>
99-modifying entry "olcDatabase={1}hdb,cn=config"
100+modifying entry "olcDatabase={1}mdb,cn=config"
101 </computeroutput>
102 </screen>
103
104@@ -586,11 +580,14 @@
105
106 <screen>
107 <command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \
108-cn=config '(olcDatabase={1}hdb)' olcDbIndex</command>
109+cn=config '(olcDatabase={1}mdb)' olcDbIndex</command>
110 <computeroutput>
111-dn: olcDatabase={1}hdb,cn=config
112+dn: olcDatabase={1}mdb,cn=config
113 olcDbIndex: objectClass eq
114-olcDbIndex: uid eq,pres,sub
115+olcDbIndex: cn,uid eq
116+olcDbIndex: uidNumber,gidNumber eq
117+olcDbIndex: member,memberUid eq
118+olcDbIndex: mail eq,sub
119 </computeroutput>
120 </screen>
121
122@@ -681,7 +678,7 @@
123 <screen>
124 <command>slapcat -f schema_convert.conf -F ldif_output -n 0 | grep corba,cn=schema</command>
125 <computeroutput>
126-cn={1}corba,cn=schema,cn=config
127+cn={2}corba,cn=schema,cn=config
128 </computeroutput>
129 </screen>
130
131@@ -701,7 +698,7 @@
132
133 <screen>
134 <command>slapcat -f schema_convert.conf -F ldif_output -n0 -H \
135-ldap:///cn={1}corba,cn=schema,cn=config -l cn=corba.ldif</command>
136+ldap:///cn={2}corba,cn=schema,cn=config -l cn=corba.ldif</command>
137 </screen>
138
139 <para>
140@@ -889,7 +886,7 @@
141
142 <programlisting>
143 # Add indexes to the frontend db.
144-dn: olcDatabase={1}hdb,cn=config
145+dn: olcDatabase={1}mdb,cn=config
146 changetype: modify
147 add: olcDbIndex
148 olcDbIndex: entryCSN eq
149@@ -907,10 +904,10 @@
150 olcModuleLoad: accesslog
151
152 # Accesslog database definitions
153-dn: olcDatabase={2}hdb,cn=config
154+dn: olcDatabase={2}mdb,cn=config
155 objectClass: olcDatabaseConfig
156-objectClass: olcHdbConfig
157-olcDatabase: {2}hdb
158+objectClass: olcMdbConfig
159+olcDatabase: {2}mdb
160 olcDbDirectory: /var/lib/ldap/accesslog
161 olcSuffix: cn=accesslog
162 olcRootDN: cn=admin,dc=example,dc=com
163@@ -918,7 +915,7 @@
164 olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
165
166 # Accesslog db syncprov.
167-dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
168+dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
169 changetype: add
170 objectClass: olcOverlayConfig
171 objectClass: olcSyncProvConfig
172@@ -927,7 +924,7 @@
173 olcSpReloadHint: TRUE
174
175 # syncrepl Provider for primary db
176-dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
177+dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
178 changetype: add
179 objectClass: olcOverlayConfig
180 objectClass: olcSyncProvConfig
181@@ -935,7 +932,7 @@
182 olcSpNoPresent: TRUE
183
184 # accesslog overlay definitions for primary db
185-dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
186+dn: olcOverlay=accesslog,olcDatabase={1}mdb,cn=config
187 objectClass: olcOverlayConfig
188 objectClass: olcAccessLogConfig
189 olcOverlay: accesslog
190@@ -953,36 +950,24 @@
191 </step>
192
193 <step>
194- <para>
195- The <application>apparmor</application> profile for slapd will not need to be adjusted for the
196- accesslog database location since <filename>/etc/apparmor.d/local/usr.sbin.slapd</filename> contains:
197- </para>
198-
199-<programlisting>
200-/var/lib/ldap/ r,
201-/var/lib/ldap/** rwk,
202-</programlisting>
203-
204- <para>
205- Create a directory, set up a databse config file, and reload the apparmor profile:
206+
207+ <para>
208+ Create a directory:
209 </para>
210
211 <screen>
212 <command>sudo -u openldap mkdir /var/lib/ldap/accesslog</command>
213-<command>sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog</command>
214-<command>sudo systemctl reload apparmor.service</command>
215 </screen>
216
217 </step>
218
219 <step>
220 <para>
221- Add the new content and, due to the apparmor change, restart the daemon:
222+ Add the new content:
223 </para>
224
225 <screen>
226 <command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif</command>
227-<command>sudo systemctl restart slapd.service</command>
228 </screen>
229
230 </step>
231@@ -1007,7 +992,7 @@
232 <step>
233 <para>
234 Install the software by going through <xref linkend="openldap-server-installation"/>. Make sure the slapd-config
235- databse is identical to the Provider's. In particular, make sure schemas and the databse suffix are the same.
236+ database is identical to the Provider's. In particular, make sure schemas and the databse suffix are the same.
237 </para>
238 </step>
239
240@@ -1022,16 +1007,16 @@
241 add: olcModuleLoad
242 olcModuleLoad: syncprov
243
244-dn: olcDatabase={1}hdb,cn=config
245+dn: olcDatabase={1}mdb,cn=config
246 changetype: modify
247 add: olcDbIndex
248 olcDbIndex: entryUUID eq
249 -
250 add: olcSyncRepl
251-olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=admin,dc=example,dc=com"
252- credentials=secret searchbase="dc=example,dc=com" logbase="cn=accesslog"
253- logfilter="(&amp;(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
254- type=refreshAndPersist retry="60 +" syncdata=accesslog
255+olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=admin,dc=example,dc=com"
256+ credentials=secret searchbase="dc=example,dc=com" logbase="cn=accesslog"
257+ logfilter="(&amp;(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
258+ type=refreshAndPersist retry="60 +" syncdata=accesslog
259 -
260 add: olcUpdateRef
261 olcUpdateRef: ldap://ldap01.example.com
262@@ -1148,15 +1133,15 @@
263 To get the effective ACL for an LDAP query we need to look at the ACL entries of the database being queried as well as those of the
264 special frontend database instance. The ACLs belonging to the latter act as defaults in case those of the former do not match. The
265 frontend database is the second to be consulted and the ACL to be applied is the first to match ("first match wins") among these 2
266- ACL sources. The following commands will give, respectively, the ACLs of the hdb database ("dc=example,dc=com") and those of the
267+ ACL sources. The following commands will give, respectively, the ACLs of the mdb database ("dc=example,dc=com") and those of the
268 frontend database:
269 </para>
270
271 <screen>
272 <command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \
273-cn=config '(olcDatabase={1}hdb)' olcAccess</command>
274+cn=config '(olcDatabase={1}mdb)' olcAccess</command>
275 <computeroutput>
276-dn: olcDatabase={1}hdb,cn=config
277+dn: olcDatabase={1}mdb,cn=config
278 olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous
279 auth by dn="cn=admin,dc=example,dc=com" write by * none
280 olcAccess: {1}to dn.base="" by * read
281@@ -1662,7 +1647,7 @@
282 </para>
283
284 <programlisting>
285-dn: olcDatabase={1}hdb,cn=config
286+dn: olcDatabase={1}mdb,cn=config
287 replace: olcSyncRepl
288 olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple
289 binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com"
290@@ -3592,11 +3577,11 @@
291 <screen>
292 <command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///</command>
293 <computeroutput>
294-<userinput>dn: olcDatabase={1}hdb,cn=config
295+<userinput>dn: olcDatabase={1}mdb,cn=config
296 add: olcDbIndex
297 olcDbIndex: krbPrincipalName eq,pres,sub</userinput>
298
299-modifying entry "olcDatabase={1}hdb,cn=config"</computeroutput>
300+modifying entry "olcDatabase={1}mdb,cn=config"</computeroutput>
301 </screen>
302
303 </step>
304@@ -3609,7 +3594,7 @@
305 <screen>
306 <command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///</command>
307 <computeroutput>
308-<userinput>dn: olcDatabase={1}hdb,cn=config
309+<userinput>dn: olcDatabase={1}mdb,cn=config
310 replace: olcAccess
311 olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by
312 dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
313@@ -3620,7 +3605,7 @@
314 add: olcAccess
315 olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read</userinput>
316
317-modifying entry "olcDatabase={1}hdb,cn=config"
318+modifying entry "olcDatabase={1}mdb,cn=config"
319 </computeroutput>
320 </screen>
321

Subscribers

People subscribed via source and target branches