Bug 43515 - Enable "database config" for dynamic slapd configuration without restart
Enable "database config" for dynamic slapd configuration without restart
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.1
Other Linux
: P5 enhancement with 2 votes (vote)
: UCS 4.3-3-errata
Assigned To: Arvid Requate
Felix Botner
http://www.zytrax.com/books/ldap/ch6/...
:
Depends on: 16639
Blocks: 41837
  Show dependency treegraph
 
Reported: 2017-02-08 12:47 CET by Philipp Hahn
Modified: 2019-02-13 13:27 CET (History)
4 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2017-02-08 12:47:10 CET
We should add
  database        config
  rootdn "cn=admin,cn=config"
  #rootpw SECRET
  access to *
   by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage 
   by * break
to /etc/ldap/slapd.conf to enable the OpenLDAP configdb. This can be used to configure OpenLDAP on-the-fly, for example changing the debug level without restarting the slapd:

 ldapsearch -LLLo ldif-wrap=no -b cn=config -H ldapi:// -Y EXTERNAL -s base olcLogLevel
to read the current debug level

For editing:
 ldapmodify -H ldapi:// -Y EXTERNAL <<__LDIF__
 dn: cn=config
 changetype: modify
 add: olcLogLevel
 olcLogLevel: Conns
 olcLogLevel: Stats
 __LDIF__


To create said config:

#!/bin/sh
UCR='/etc/univention/templates'
CONF='/etc/ldap/slapd.conf'
TMPL="${CONF#/}.d/39configdb"
cat >"$UCR/files/$TMPL" <<__CONF__
database config
rootdn "cn=admin,cn=config
# rootpw SECRET
access to *
   by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage 
   by * break
__CONF__
printf "Type: subfile\nMultifile: ${CONF#/}\nSubfile: ${TMPL}" >"$UCR/info/openldap-configdb.info"
ucr register openldap-configdb
service slapd restart
Comment 1 Philipp Hahn univentionstaff 2018-08-23 15:29:51 CEST
(In reply to Philipp Hahn from comment #0)
> To create said config:

Fix missing " in 'rootdn':

#!/bin/sh
UCR='/etc/univention/templates'
CONF='/etc/ldap/slapd.conf'
TMPL="${CONF#/}.d/39configdb"
cat >"$UCR/files/$TMPL" <<__CONF__
database config
rootdn "cn=admin,cn=config"
# rootpw SECRET
access to *
   by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage 
   by * break
__CONF__
printf "Type: subfile\nMultifile: ${CONF#/}\nSubfile: ${TMPL}" >"$UCR/info/openldap-configdb.info"
ucr register openldap-configdb
service slapd restart
Comment 2 Julia Bremer univentionstaff 2018-12-14 13:22:40 CET
Successful build
Package: univention-ldap
Version: 14.0.2-32A~4.3.0.201812141257
Branch: ucs_4.3-0
Scope: errata4.3-3
User: jbremer

c7b449afe9 Bug #43515: Advisory
43d7af4398 Bug #43515: Enabled database config for OLC in openldap
c351e2d5af Bug #43515: Version bump
c18bc61798 Bug #43515: Enabled database config in slapd.conf

I added the file 39configdb in ./management/univention-ldap/conffiles/etc/ldap/slapd.conf.d to configure database config 
for simple bind and sasl authentication
Comment 3 Julia Bremer univentionstaff 2018-12-17 13:23:36 CET
f83057b00c Bug #43515: Advisory
f2836dd99a Bug #43515: Merge branch 'jbremer/bug43515' into 4.3-3
9c49170c43 Bug #43515: Cleanup
39175d0176 Bug #43515: Use ldap/hostdn only if it exists

Successful build
Package: univention-ldap
Version: 14.0.2-33A~4.3.0.201812171224
Branch: ucs_4.3-0
Scope: errata4.3-3
User: jbremer

Only use 'ldap/hostdn' if ucr variable ldap/hostdn is already set.
Comment 4 Dirk Wiesenthal univentionstaff 2018-12-19 09:46:04 CET
The new template breaks slapd.conf:

ucr commit /etc/ldap/slapd.conf
Multifile: /etc/ldap/slapd.conf
  File "<stdin>", line 8
    if %(ldap/hostdn)s % configRegistry :
       ^
SyntaxError: invalid syntax
Comment 5 Arvid Requate univentionstaff 2018-12-19 15:48:42 CET
afc70856ed | Allow access to cn=config only via LDAPI for now
631f8782fa | Advisory
Comment 6 Felix Botner univentionstaff 2019-02-05 16:21:15 CET
this is wrong:

grep -r 39configdb *
debian/univention-ldap-client.univention-config-registry:Subfile: etc/ldap/slapd.conf.d/39configdb


this is a template for the slapd -> univention-ldap-server, so add the subfile to debian/univention-ldap-client.univention-config-registry
Comment 7 Arvid Requate univentionstaff 2019-02-05 17:13:42 CET
1381c41143 | moved to univention-ldap-server
d0ddcd5e32 | Advisory

2085a7edf2 | merge to 4.4-0
Comment 8 Felix Botner univentionstaff 2019-02-05 18:22:36 CET
OK - univention-ldap
OK - yaml
OK - 4.4
Comment 9 Erik Damrose univentionstaff 2019-02-13 13:27:20 CET
<http://errata.software-univention.de/ucs/4.3/426.html>