Don’t Be Scared of OpenLDAP 2.5
For more than a year there have been two versions of OpenLDAP, 2.5 and 2.6, yet there are more than a few who still use the version 2.4. This might be for different, sometimes very relatable, reasons. DAASI International however recommends to migrate to one of the higher versions. In the following text you can find more information on the topic, which might help when trying to decided whether to go for the update or not.
Symas OpenLDAP – What’s new?
First things first, when considering a migration, you should first determine which version you want to migrate to. Why are there two versions at the same time in this case, and why were both developed? With the release of versions 2.5 and 2.6, the company Symas provides a 5-year LTS version in 2.5 and a current feature version in 2.6. 2.5. replaces the product “Symas OpenLDAP Directory Gold Edition,” which was up until now offered for professional use with different support options. This included binary packages which were no publicly available. Now, not only the always public source code is available but also the binary packages, which completely detaches them from the purchase of various support packages. As a result, it is up to each user to choose between the very stable LTS version 2.5, and the version 2.6 which includes newer features. Both versions are available as repository for RHEL7, RHEL8, SLES 15.3, Debian 10, Debian 11, Ubuntu 18.04 and Ubuntu 20.04, which makes it easer to include them in various existing IT landscapes. The instructions for the integration of the repositories into the respective distribution is available as well.
Configuration and Special Features
The necessary adjustments to the configuration for the upgrade from 2.4 to 2.5 or 2.6 are well documented under „Upgrades“, and are linked on the respective pages beneath the homepage. Further explanations with a little more detail can be found in “Appendix B. Upgrading from 2.4.x”  of the “OpenLDAP Software 2.5 Administrator’s Guide” . Apart from the fact that 2.4 will not be further developed, there are several new features, which make the upgrade worthwhile. The following summarises the most important improvements: whoever used the overlay „memberOf“ in context of replication of several providers, surely will have stumbled over the statement by the developers that the overlay is actually not recommended to be used in such environments. This overlay has been replaced by “dynlist” which also exists for quite a while now, but has been revised. It is now a fully-fledged replacement, with only minor losses in terms of performance. As the attribute “memberOf” is no longer replicated with “dynlist” instead, it is recalculated for each provider or read-replicate request. Consequently, the problems during replications of operative attributes no longer occur.
Moreover, the performance of the MDB was further improved. Via a configuration parameter (multival), it is possible to define e.g. attributes the contents of which are swapped into a separate table structure of the MDB once it reaches a preconfigured number of values. Hence, writing speed is increased and fragmentation of the main table is reduced.
For effective load balancing against multiple replicates, the version 2.5 comes with an overlay that is an actual load balancer on the protocol level. This way the load is balanced not only on a connection level but also on an operations level. Thus it is possible to spread multiple complex search requests across singular clients of multiple servers. The load balancer can also be started as daemon instead of overlay.
Overall, switching from 2.4 to 2.5 or 2.6 comes with a manageable work load. Only if you use overlays such as “lastbind”, “ppolicy”, or “memberOf” it might be necessary to invest more time. The fact that the repositories for common Linux distributions are provided directly by Symas makes the switch easier, and leads to more independence from certain distributions.
Naturally, DAASI International is happy to consult you further on OpenLDAP migrations. Feel free to reach out to us.
Subscribe to our newsletter
- Benefits of Containerisation for Security Relevant Technologies
- Commentary Regarding the Cyber Resilience Act
- New Partnership for Technological Progress
- Supporting Federation of German Institutions of Higher Education
- Gaia-X Self-Sovereign Identity (SSI) Reference Implementation Ready for Proof of Value