You are here

OpenLDAP Upgrade

Project ID: 
Current stage: 

Description: Upgrade OpenLDAP clients and servers to latest stable version. This applies to both Linux and Solaris machines. This also involves a change in hardware and an upgrade to FC5 for the main OpenLDAP server (currently basilisk, but to be replaced by barrett).

Deliverables: A stable and robust LDAP client/server set-up with all managed Linux/Solaris machines running the latest stable version of OpenLDAP, fully configured by LCFG resources.


Customer: All

Case statement: We're quite a bit behind on OpenLDAP code versions, and things have moved on around us. We need to get back up to speed, so that we're running a modern, robust version. The latest stable version is 2.3.27, so it's the intention that we should upgrade to this, while keeping an eye on any subsequent versions to see if there are overwhelming reasons for adopting them in preference to 2.3.27.
We're currently running the following versions:

Linux FC3: 2.2.13
Linux FC5: 2.3.20
basilisk (current LDAP master): 2.3.17
Solaris: 2.2.13

It is expected that work on FC3 will not be required.



All FC5 and FC6 LDAP clients and servers are now running OpenLDAP 2.3.35.
LCFG configuration for LDAP master is now in dice/options/openldap-master-server.h
I have marked the Solaris client milestone as complete, as it's not required.
Following discussion within the inf-unt and CEG, we have agreed that the move to the new LDAP master server will happen on 17/05/07.
A new machine has recently been purchased to become the new LDAP master, following the decision to split LDAP and KDC. Installing this machine and transferring the LDAP service to it will become high priority after the KDC service has first moved off basilisk (scheduled to happen 18/04).
The milestone for upgrading the LDAP master is likely to slip further, due to the decision to split KDC and LDAP at this stage.
The inf-unit has decided to take the replacement of basilisk as an opportunity to split the KDC master and LDAP master onto separate machines. We have had email discussions and a meeting on 26/02/07 to determine the details of this. It will require either new hardware or redeployment of existing hardware - this matter is ongoing.
All remaining milestones have been put back by 2 months, because of delay (explained below) in upgrading all dice clients
The inf-unit is currently finalising the plan and schedule for moving from basilisk (current LDAP and kerberos master) to barrett. This encompasses the 'upgrade ldap master' milestone in this project. We have not yet set a date for this - it is likely to be end Feb/early March, but this is dependent on other factors such as unit member availability.
All clients upgraded to 2.3.32 on 02/02/07.
ldapBuildAmdMaps and buildcaps both run under 2.3.32
Version 2.3.32 of openldap has been pushed out to 'develop' (10/01) and 'testing' (16/01) machines.
It is generally recommended (e.g. on the openldap list) that it is wisest to be running the latest openldap version available. Discussions in the inf-unit support this decision. The newest version is currently 2.3.32. I would like to put this into the release schedule for full testing as soon as possible, but my own testing of it has revealed issues that require further investigation. This will inevitably lead to further delays in pushing out the openldap upgrade, but it is very important that we get this process right.
The milestone to "Test additional LDAP tools that run on the LDAP master, e.g. ldapBuildAmdMaps and buildcaps" has been done for version 2.3.27, but will need to be revisited for whichever version we decide on.
The upgrade of all FC5 linux clients has been postponed until early next year - there are a couple of reasons for this - (1) I spent quite some time investigating suspected ldap problems on FC5 clients - I didn't want to push out a major upgrade until this was complete. It turned out that the problem was not an ldap one, but one of FC5 instability, leading to broken ldap on machines. (2) I have discovered a small problem with the upgrade process, moving from one version of openldap-server to another. This will need to be resolved before pushing out the newer version. With it being so close to the Christmas holidays, it seemed wiser to hold off on any mass upgrade until the new year
Version 2.3.30 of openldap is out now, which contains various bug fixes (including some for syncrepl). It hasn't become the 'stable' release yet, but when it does so, will warrant investigation as to whether this should be deployed in favour of 2.3.27

Timescales: A deadline of the end of 2006 was originally set, as defined by the FC3 end-of-life. It was subsequently thought, however, that scheduling such major upgrade work in December when people might be unavailable, for various reasons, was perhaps unwise.

Priority: High




Resources: Difficult to quantify, as most of the work involves testing and resolving any issues that crop up in testing. It is envisaged that two person weeks of someone familiar with OpenLDAP server operation and configuration would be a good approximate starting point.


  1. Build and test new version
  2. Upgrade and test selected FC5 Linux clients - i.e. develop
  3. Upgrade all FC5 linux clients (mid Dec)
  4. Test additional LDAP tools that run on the LDAP master,
    e.g. ldapBuildAmdMaps and buildcaps (end Dec)
  5. Upgrade and test LDAP master (mid Jan)
  6. Upgrade and test Solaris (end Jan)
  7. LCFG configuration (end Jan)

Dependencies: Some of the testing required can be done as part of the OpenLDAP Replication and Server Configuration project. There is some inter-dependency with that project in that testing data will potentially be useful to both projects.




Proposed date Achieved date Name Description
2006-11-15 2006-11-15 upgrade_selecte Upgrade and test selected FC5 Linux clients - i.e. develop release
2007-02-02 2006-12-15 upgrade_all_cli Upgrade all FC5 Linux clients
2007-01-15 2006-12-31 test_server_lda Test additional LDAP tools that run on the LDAP master, e.g. ldapBuildAmdMaps and buildcaps
2007-05-17 2007-05-17 upgrade_master Upgrade and test LDAP master
2007-06-08 2007-03-31 upgrade_solaris Upgrade and test Solaris clients
2007-07-30 2007-07-27 lcfg_config LCFG configuration
2006-09-30 2006-09-30 build_new_versi Build and test new version