xref: /netbsd-src/external/bsd/openldap/dist/doc/guide/admin/appendix-upgrading.sdf (revision 1ca06f9c9235889e2ff6dc77279d01d151d70a9a) 
1# $OpenLDAP: pkg/openldap-guide/admin/appendix-upgrading.sdf,v 1.1.2.5 2008/05/20 00:17:58 quanah Exp $
2# Copyright 2007-2008 The OpenLDAP Foundation, All Rights Reserved.
3# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
4
5H1: Upgrading from 2.3.x
6
7The following sections attempt to document the steps you will need to take in order
8to upgrade from the latest 2.3.x OpenLDAP version.
9
10The normal upgrade procedure, as discussed in the {{SECT:Maintenance}} section, should
11of course still be followed prior to doing any of this.
12
13H2: Monitor Backend
14
15Note: This is a temporary requirement and is subject to change over the next 2.4.x beta release cycle
16
17A monitor ({{slapd-monitor(5)}}) now needs a {{rootdn}} entry. If you do not have
18one, {{slapd}} will fail to start up with an error message like so:
19
20>           monitor_back_register_entry_attrs(""): base="cn=databases,cn=monitor" scope=one
21>           filter="(namingContexts:distinguishedNameMatch:=dc=example,dc=com)": unable to find entry
22>           backend_startup_one: bi_db_open failed! (1)
23>           slap_startup failed (test would succeed using the -u switch)
24
25Here is a complete {{database monitor}} example:
26
27
28>           database monitor
29>           rootdn cn=monitor
30>           rootpw change_me
31
32
33H2: {{B:cn=config}} olc* attributes
34
35Quite a few {{olc*}} attributes have now become obsolete, if you see in your logs
36entries like below, just remove them from the relevant ldif file.
37
38>           olcReplicationInterval: value #0: <olcReplicationInterval> keyword is obsolete (ignored)
39
40H2: ACLs: searches require privileges on the search base
41
42Search operations now require "search" privileges on the "entry" pseudo-attribute of the search
43base. While upgrading from 2.3.x, make sure your ACLs grant such privileges to all desired search
44bases.
45
46For example, assuming you have the following ACL:
47
48>           access to dn.sub="ou=people,dc=example,dc=com" by * search
49
50Searches using a base of "dc=example,dc=com" will only be allowed if you add the following ACL:
51
52>           access to dn.base="dc=example,dc=com" attrs=entry by * search
53
54Note: The {{slapd.access}}(5) man page states that this requirement was introduced
55with OpenLDAP 2.3. However, it is the default behavior only since 2.4.
56
57
58
59ADD MORE HERE
60
61