Migration from OpenLDAP LTB 2.5 to OpenLDAP LTB 2.6

Follow the steps below to migrate from OpenLDAP 2.5 to OpenLDAP 2.6.

Backup

Use slapd-cli to backup data and configuration:

slapd-cli backup
slapd-cli backupconfig

Deploy new version

First, stop OpenLDAP process:

systemctl stop slapd

Then update package repository configuration, to use the openldap26 repository.

  • For Debian:

deb [arch=amd64] https://ltb-project.org/debian/openldap26/bullseye bullseye main

  • For Debian (Trixie)

Types: deb
URIs: https://ltb-project.org/debian/openldap26/trixie
Suites: trixie
Components: main
Signed-By: /etc/apt/trusted.gpg.d/ltb-project-debian-keyring.gpg
Architectures: amd64

Note

OpenLDAP 2.6 is available for the following debian releases: Buster, Bullseye, Bookworm, Trixie and newer.

  • For CentOS:

[ltb-project]
name=LTB project packages
baseurl=https://ltb-project.org/rpm/openldap26/$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project

Upgrade to latest version:

  • For Debian:

apt update && apt upgrade

  • For CentOS:

yum update

OpenLDAP 2.6 packages should now be installed

Configuration

In the initial config block dn: cn=config add the following:

olcLogFile: /var/log/slapd-ltb/slapd.log
olcLogFileOnly: TRUE
olcLogFileRotate: 30 1024 24
olcLogFileFormat: syslog-localtime

Remove the lastbind module as it is not longer needed.

olcModuleLoad: {1}lastbind

Remove the entire lastbind overlay block that is present.

dn: olcOverlay={3}lastbind,olcDatabase={1}mdb,cn=config
objectClass: top
objectClass: olcConfig
objectClass: olcLastBindConfig
objectClass: olcOverlayConfig
olcOverlay: {3}lastbind
olcLastBindPrecision: 1
structuralObjectClass: olcLastBindConfig
entryUUID: 1a2b3c4d-5e6f-7890-1a2b-3c4d5e6f7g8h
creatorsName: cn=config
createTimestamp: 19700101000000Z
entryCSN: 19700101000000.000000Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 19700101000000Z

Add the following line in dn: olcDatabase for mdb.

olcLastBind: TRUE
olcLastBindPrecision: 1

Replace authTimestamp with pwdLastSuccess in user data.

sed -i -e 's/authTimestamp/pwdLastSuccess/g' openldap-data-<date>.ldif

Applying the changes

Restore the updated configuration:

slapd-cli restoreconfig

Restore data from the backup done at first step:

slapd-cli restore

The systemd service name has changed from slapd to slapd-ltb in slapd-cli v2.8, you can now get the status with:

systemctl status slapd-ltb