Commit c1f7e9b2 authored by Gavin Henry's avatar Gavin Henry
Browse files

Complete (at least until 2.4 final) changes section and updated wordslist.

parent 2580f86d
......@@ -4,25 +4,157 @@
H1: Changes Since Previous Release
Nice intro here to praise everyones hard work!
The following sections attempt to summarize the new features and changes in OpenLDAP
software since the 2.3.x release and the OpenLDAP Admin Guide.
H2: New Guide Sections
* Overlays
* Backends
* Tuning
* complete later.........
In order to make the Admin Guide more thorough and cover the majority of questions
asked on the OpenLDAP mailing lists and scenarios discussed there, we have added the following new sections:
H2: New Features in 2.4
* {{SECT:When should I use LDAP?}}
* {{SECT:When should I not use LDAP?}}
* {{SECT:LDAP vs RDBMS}}
* {{SECT:Backends}}
* {{SECT:Overlays}}
* {{SECT:Replication}}
* {{SECT:Maintenance}}
* {{SECT:Monitoring}}
* {{SECT:Tuning}}
* {{SECT:Troubleshooting}}
* {{SECT:Changes Since Previous Release}}
* {{SECT:Configuration File Examples}}
* {{SECT:Glossary}}
Another nice intro here
Also, the table of contents is now 3 levels deep to ease navigation.
H3: More overlays
H2: New Features and Enhancements in 2.4
H3: Better {{B:cn=config}} functionality
There is a new slapd-config(5) manpage for the {{B:cn=config}} backend. The
original design called for auto-renaming of config entries when you insert or
delete entries with ordered names, but that was not implemented in 2.3. It is
now in 2.4. This means, e.g., if you have
> olcDatabase={1}bdb,cn=config
> olcSuffix: dc=example,dc=com
and you want to add a new subordinate, now you can ldapadd:
> olcDatabase={1}bdb,cn=config
> olcSuffix: dc=foo,dc=example,dc=com
This will insert a new BDB database in slot 1 and bump all following databases
down one, so the original BDB database will now be named:
> olcDatabase={2}bdb,cn=config
> olcSuffix: dc=example,dc=com
H3: Better {{B:cn=schema}} functionality
In 2.3 you were only able to add new schema elements, not delete or modify
existing elements. In 2.4 you can modify schema at will. (Except for the
hardcoded system schema, of course.)
H3: More sophisticated Syncrepl configurations
The original implementation of Syncrepl in OpenLDAP 2.2 was intended to support
multiple consumers within the same database, but that feature never worked and
was removed from OpenLDAP 2.3; you could only configure a single consumer in
any database.
In 2.4 you can configure multiple consumers in a single database. The configuration
possibilities here are quite complex and numerous. You can configure consumers
over arbitrary subtrees of a database (disjoint or overlapping). Any portion
of the database may in turn be provided to other consumers using the Syncprov
overlay. The Syncprov overlay works with any number of consumers over a single
database or over arbitrarily many glued databases.
H3: N-Way Multimaster Replication
As a consequence of the work to support multiple consumer contexts, the syncrepl
system now supports full N-Way multimaster replication with entry-level conflict
resolution. There are some important constraints, of course: In order to maintain
consistent results across all servers, you must maintain tightly synchronized
clocks across all participating servers (e.g., you must use NTP on all servers).
The entryCSNs used for replication now record timestamps with microsecond resolution,
instead of just seconds. The delta-syncrepl code has not been updated to support
multimaster usage yet, that will come later in the 2.4 cycle.
H3: Replicating {{slapd}} Configuration (syncrepl and {{B:cn=config}})
Syncrepl was explicitly disabled on cn=config in 2.3. It is now fully supported
in 2.4; you can use syncrepl to replicate an entire server configuration from
one server to arbitrarily many other servers. It's possible to clone an entire
running slapd using just a small (less than 10 lines) seed configuration, or
you can just replicate the schema subtrees, etc. Tests 049 and 050 in the test
suite provide working examples of these capabilities.
H3: Push-Mode Replication
In 2.3 you could configure syncrepl as a full push-mode replicator by using it
in conjunction with a back-ldap pointed at the target server. But because the
back-ldap database needs to have a suffix corresponding to the target's suffix,
you could only configure one instance per slapd.
In 2.4 you can define a database to be "hidden", which means that its suffix is
ignored when checking for name collisions, and the database will never be used
to answer requests received by the frontend. Using this "hidden" database feature
allows you to configure multiple databases with the same suffix, allowing you to
set up multiple back-ldap instances for pushing replication of a single database
to multiple targets. There may be other uses for hidden databases as well (e.g.,
using a syncrepl consumer to maintain a *local* mirror of a database on a separate filesystem).
H3: More extensive TLS configuration control
In 2.3, the TLS configuration in slapd was only used by the slapd listeners. For
outbound connections used by e.g. back-ldap or syncrepl their TLS parameters came
from the system's ldap.conf file.
In 2.4 all of these sessions inherit their settings from the main slapd configuration,
but settings can be individually overridden on a per-config-item basis. This is
particularly helpful if you use certificate-based authentication and need to use a
different client certificate for different destinations.
H3: Performance enhancements
Too many to list. Some notable changes - ldapadd used to be a couple of orders
of magnitude slower than "slapadd -q". It's now at worst only about half the
speed of slapadd -q. Some comparisons of all the 2.x OpenLDAP releases are available
at {{URL:http://www.highlandsun.com/hyc/scale2007.pdf}}
That compared 2.0.27, 2.1.30, 2.2.30, 2.3.33, and HEAD). Toward the latter end
of the "Cached Search Performance" chart it gets hard to see the difference
because the run times are so small, but the new code is about 25% faster than 2.3,
which was about 20% faster than 2.2, which was about 100% faster than 2.1, which
was about 100% faster than 2.0, in that particular search scenario. That test
basically searched a 1.3GB DB of 380836 entries (all in the slapd entry cache)
in under 1 second. i.e., on a 2.4GHz CPU with DDR400 ECC/Registered RAM we can
search over 500 thousand entries per second. The search was on an unindexed
attribute using a filter that would not match any entry, forcing slapd to examine
every entry in the DB, testing the filter for a match.
Essentially the slapd entry cache in back-bdb/back-hdb is so efficient the search
processing time is almost invisible; the runtime is limited only by the memory
bandwidth of the machine. (The search data rate corresponds to about 3.5GB/sec;
the memory bandwidth on the machine is only about 4GB/sec due to ECC and register latency.)
No other Directory Server in the world is this fast or this efficient. Couple
that with the scalability, manageability, flexibility, and just the sheer
know-how behind this software, and nothing else is even remotely comparable.
H3: New overlays
* slapo-dds (Dynamic Directory Services, RFC 2589)
* slapo-memberof (reverse group membership maintenance)
H3: New features in existing ones
H3: New features in existing Overlays
* slapo-pcache allows cache inspection/maintenance/hot restart
* slapo-rwm can safely interoperate with other overlays
......@@ -52,3 +184,6 @@ H3: New build options
H2: Obsolete Features in 2.4
H3: Slurpd
Please read the {{SECT:Replication}} section as to why this is no longer in
OpenLDAP
personal_ws-1.1 en 1394
personal_ws-1.1 en 1404
nattrsets
inappropriateAuthentication
api
......@@ -8,8 +8,8 @@ reqEnd
olcOverlayConfig
shoesize
olcTLSCACertificateFile
CGI
cdx
CGI
DCE
DAP
attributename
......@@ -20,8 +20,8 @@ kurt
authzID
authzid
authzId
DAs
ddd
DAs
userApplications
BNF
attrs
......@@ -32,14 +32,16 @@ ldapport
hallvard
ASN
acknowledgements
Chu
ava
Chu
monitorCounter
del
DDR
testObject
OrgPerson
IGJlZ
olcUpdateref
ECC
deleteDN
cli
ltdl
......@@ -82,13 +84,13 @@ olcModulePath
maxentries
authc
seeAlso
searchbase
searchBase
searchbase
realnamingcontext
dn's
DNs
DN's
dns
DN's
DNs
dn's
dereference
sortKey
authzTo
......@@ -153,8 +155,8 @@ INADDR
compareDN
sizelimit
unixODBC
APIs
blen
APIs
attrsOnly
attrsonly
slappasswd
......@@ -231,8 +233,8 @@ pwdExpireWarning
localstatedir
sockbuf
PENs
ipv
IPv
ipv
ghenry
hyc
multimaster
......@@ -265,8 +267,8 @@ intermediateResponse
myOID
structuralObjectClass
integerMatch
openldap
OpenLDAP
openldap
moddn
rewriteEngine
AVAs
......@@ -274,8 +276,8 @@ accesslog
searchDN
reqOld
MDn
TLSCACertificateFile
aspell
TLSCACertificateFile
mem
peername
syncUUIDs
......@@ -285,8 +287,8 @@ bool
logins
jts
memberAttr
newpasswdfile
newPasswdFile
newpasswdfile
ucdata
LLL
confdir
......@@ -313,8 +315,8 @@ caseExactMatch
olcSizeLimit
Bourne
attr
objectidentifier
objectIdentifier
objectidentifier
refint
msgtype
OBJEXT
......@@ -364,8 +366,8 @@ Autoconf
alloc
PDU
OLF
inetorgperson
inetOrgPerson
inetorgperson
deleteoldrdn
monitorCounterObject
pid
......@@ -379,6 +381,7 @@ xeXBkeFxlZ
accessor's
extendedop
ple
NTP
reqSizeLimit
ORed
NUL
......@@ -421,9 +424,9 @@ OTP
entrylimit
attrdescN
logold
pos
sbi
PRD
sbi
pos
reqEntries
pre
bvals
......@@ -438,6 +441,7 @@ referralDN
sed
statslog
perror
ldapexop
bvecadd
distributedOperation
sel
......@@ -474,8 +478,8 @@ typedef
olcDbIDLcacheSize
ostring
mwrscdx
SMD
UCD
SMD
cancelled
crit
lucyB
......@@ -486,8 +490,8 @@ TGT
modulepath
quickstart
mySNMP
tgz
UDP
tgz
RDBMs
rdbms
Matic
......@@ -506,9 +510,9 @@ olcDbConfig
refreshDone
ssf
replogfile
rwm
TOC
vec
TOC
rwm
LDAPDN
compareAttrDN
endmacro
......@@ -516,15 +520,15 @@ tls
repl
monitoringslapd
referralsp
tmp
SRP
tmp
olcDbNosync
conns
SSL
PDkzODdASFxOQ
SRV
rwx
sss
rwx
deallocators
Contribware
URLlist
......@@ -638,11 +642,11 @@ groupstyle
ldapsearch
cp
displayName
eg
bv
eg
olcBackendConfig
dn
fd
dn
LDAPSync
fG
fi
......@@ -724,8 +728,8 @@ sn
ru
UG
ss
su
TP
su
reqMethod
XLIBS
PhotoObject
......@@ -742,8 +746,8 @@ xf
param
MChAODQ
caseExactIA
Vu
Za
Vu
idlecachesize
ws
errSleepTime
......@@ -762,6 +766,7 @@ subord
reqVersion
errp
ZZ
entryCSNs
dlopen
continuated
newSuperior
......@@ -781,6 +786,7 @@ fqdn
authPassword
LDAPMatchingRule
olcIdleTimeout
treedelete
auditAdd
reqSession
derated
......@@ -834,6 +840,7 @@ ldapmodrdn
ldapbis
attributeoptions
serverID
memberof
pseudorootpw
CFLAGS
substr
......@@ -850,8 +857,8 @@ modifyAttrDN
dcedn
olcOverlay
exop
berelement
BerElement
berelement
olcRootDN
octetString
SampleLDAP
......@@ -860,10 +867,11 @@ PostgreSQL
bvstr
filesystem
pathtest
objectClass
objectclass
objectClass
submatches
newrdn
armijo
addBlanks
reqMessage
exts
......@@ -874,8 +882,8 @@ modifyDN
syncuser
Masarati
LDAPSyntax
oldpasswdfile
oldPasswdFile
oldpasswdfile
reqDN
SSFs
ietf
......@@ -897,8 +905,8 @@ reqId
setspec
scanf
TLSv
distinguishedname
distinguishedName
distinguishedname
BerVarray
caseIgnoreSubstrin
ldapwhoami
......@@ -925,10 +933,11 @@ slaptest
zeilenga
WebUpdate
numericoid
changelog
ChangeLog
changelog
creatorsName
ascii
wahl
uniqueMember
slapcat
lwrap
......@@ -952,10 +961,10 @@ schemadir
attribute's
extern
varchar
olcDbCacheSize
olcDbCachesize
authcid
olcDbCacheSize
authcID
authcid
POSIX
hnPk
ldapext
......@@ -974,8 +983,8 @@ reqStart
sasldb
somevalue
LIBRELEASE
starttls
StartTLS
starttls
LDAPSchemaExtensionItem
reqReferral
shtool
......@@ -986,8 +995,8 @@ portnumber
subjectAltName
errObject
valsort
bervals
berval's
bervals
derefFindingBaseObj
checkpointed
keytab
......@@ -1008,8 +1017,8 @@ README
memcalloc
inet
saslargs
givenname
givenName
givenname
olcDbMode
pidfile
olcLimits
......@@ -1017,8 +1026,8 @@ memvfree
tuple
superset
directoryString
proxyTemplate
proxytemplate
proxyTemplate
wildcards
monitoredObject
TTLs
......@@ -1031,8 +1040,8 @@ bvalues
reqResult
impl
outvalue
returnCode
returncode
returnCode
attributeDescription
attrval
dnssrv
......@@ -1054,20 +1063,20 @@ uncached
ldapapiinfo
groupOfUniqueNames
dhparam
slapd's
slapds
slapd's
inputfile
RDBMSes
wildcard
Locator
errAbsObject
errABsObject
errAbsObject
SASL's
html
searchResultDone
olcBdbConfig
ldapmod
LDAPMod
ldapmod
olcHidden
userPassword
TLSRandFile
......@@ -1094,10 +1103,10 @@ cacertdir
queryid
Warper
XDEFS
urls
URL's
postalAddress
urls
postaladdress
postalAddress
passwd
plugins
george
......@@ -1111,16 +1120,16 @@ ursula
LDAPModifying
slapdconfig
dnSubtreeMatch
olcSaslSecProps
olcSaslSecprops
olcSaslSecProps
auditModify
groupOfNames
jensen
reloadHint
prepending
olcGlobal
matchingRule
matchingrule
matchingRule
SmVuc
MSSQL
hostnames
......@@ -1134,9 +1143,9 @@ whsp
realusers
dnstyle
suffixalias
proxyAttrset
proxyAttrSet
proxyattrset
proxyAttrSet
proxyAttrset
pwdMustChange
ldif
bvfree
......@@ -1147,8 +1156,8 @@ pwdAttribute
PRNGD
LDAPRDN
entryUUIDs
proxycache
proxyCache
proxycache
SERATGCgaGBYWGDEjJR
noanonymous
accessee
......@@ -1200,8 +1209,8 @@ passwdfile
errMatchedDN
everytime
mkdep
olcDbindex
olcDbIndex
olcDbindex
syntaxOID
reqData
databasetype
......@@ -1248,8 +1257,8 @@ bitstring
ACLs
berptr
olcModuleLoad
attributetype
attributeType
attributetype
auditModRDN
cacert
freebuf
......@@ -1299,22 +1308,23 @@ preallocated
syntaxes
memberURL
monitorRuntimeConfig
bindDn
bindDN
binddn
bindDN
bindDn
methodp
timelimitExceeded
pwdInHistory
LTSTATIC
requestors
requestor's
requestors
LDAPCONF
saslauthd
MKDEPFLAG
gecos
entryUUID
gnutls
GnuTLS
GNUtls
gnutls
postread
timeval
DHAVE
......@@ -1335,8 +1345,8 @@ entryTtl
LDAPControl
pwdMinLength
ldapcompare
readonly
readOnly
readonly
RANDFILE
attrlist