Symas Binary Packaging for OpenLDAP 2.5, 2.6, and Beyond
Updated: May 12
OpenLDAP 2.5 represents the contribution of various Symas Open Source enhancements not previously adopted by the Project. Everything previously only available in Symas OpenLDAP Gold binary packages is now available in the source code distributions from The OpenLDAP Project and in the binary packages available on Symas's repository site,repo.symas.com.
In this transition, the Project updated its Support Policy to provide support for Long Term Support (LTS) Releases in addition to the traditional Feature Release stream. Changes were made to file locations to conform to current practice where possible. The cadence for minor releases has also been increased to run approximately eighteen months and two years for each minor release. Finally, some configuration items are new or different. Details follow.
As described above, there are two distinct types of releases now: Feature Releases and LTS releases.
Feature Releases are the means by which new features are introduced to OpenLDAP. While these releases are suitable for production, it should be understood that the support lifecycle for each Feature Release is between eighteen months and two years. As of this writing, OpenLDAP 2.6 is the most recent Feature Release.
An LTS release, or Long Term Support release, is intended for customers who prioritize longevity over new features. The support lifecycle for an LTS release is expected to be between three and five years. During this time, critical fixes are made to the release, but no new features will be introduced. The LTS release stream is recommended for production deployments that focus on proven stability and reliability. As of this writing, OpenLDAP version 2.5 is the LTS release. Within three to five years, a future Feature Release will be designated as the new LTS release and support for the previous LTS release will be phased out.
The main difference between OFL and symas-openldap is the installation structure. The symas-openldap package if fully self-contained and installs everything (configuration, command line tools, dependencies) in the /opt/symas directory:
/opt └── symas ├── bin (user-level commands) ├── etc │ └── openldap (configuration, schema) ├── lib (slapd) │ └── openldap (overlays/modules) ├── sbin (administrative commands) ├── share │ ├── man (manual pages) │ └── symas (demo scripts) └── ssl (certificate storage)
The advantage of the self-contained installation is that system/OS updates will never overwrite symas-openldap's dependencies (OpenSSL, for example).
Your slapd runtime configuration will need some changes to work with symas-openldap:
The include path to the standard schema files is now "/opt/symas/etc/openldap/schema"
If ppolicy is being used, the ppolicy schema must be removed from slapd.conf/cn=config
slapd.conf/cn=config need to have the "pidfile/olcPidFile" path adjusted to /var/symas/run
slapd.conf/cn=config need to have the "argsfile/olcArgsFile" path adjusted to /var/symas/run
slapd.conf/cn=config need to have he modulepath/olcModulePath adjusted to "/opt/symas/lib/openldap"
If using a multi-provider replication environment, the "mirrormode/olcMirrorMode" keyword needs to be adjusted to "multiprovider/olcMultiProvider"
If multival(hi/lo) feature is in use, the keyword needs to be changed to "multival/olcMultiVal" and the configuration must be updated for the 2.5 syntax and set the "default" keyword:
Old slapd.conf settings:
multivallo 10 multivalhi 50
New slapd.conf setting:
multival default 50,10
Old cn=config settings:
olcMultiValLo: 10 olcMultiValHi: 50
New cn=config setting:
olcMultiVal: default 50,10
The slapd startup configuration (USER, GROUP, EXTRA_SLAPD_ARGS) is now located in /etc/default/symas-openldap.
The path to online LDAP command line utilities (ldapsearch, ldapadd, etc.) are now located in /opt/symas/bin.
The path to offline slapd command line utilities (slapadd, slapcat, etc.) are now located in /opt/symas/sbin.
The symas-openldap package contains several utilities for working with LMDB databases:
mdb_stat - Gets the status of LMDB databases
mdb_copy - Makes a safe copy of LMDB databases with optional compaction
The symas-openldap package includes enhanced logging, which provides elapsed execution time (etime) for all LDAP operations.
The 2.6.x packages includes a new local logging feature:
Slapd log entries are written directly to file, bypassing rsyslog and its performance penalties
Log rotation is built in and configurable
Timestamp formats are configurable
For more information on upgrading to Symas OpenLDAP versions 2.5 or 2.6, seehttps://repo.symas.com/soldap2.5/upgrading/