From c1f7e9b2a1ab7f73f23b3cf8b3db933cc53193a7 Mon Sep 17 00:00:00 2001 From: Gavin Henry Date: Sat, 25 Aug 2007 22:44:07 +0000 Subject: [PATCH] Complete (at least until 2.4 final) changes section and updated wordslist. --- doc/guide/admin/appendix-changes.sdf | 153 +++++++++++++++++++++++++-- doc/guide/admin/aspell.en.pws | 128 +++++++++++----------- 2 files changed, 213 insertions(+), 68 deletions(-) diff --git a/doc/guide/admin/appendix-changes.sdf b/doc/guide/admin/appendix-changes.sdf index a78e3d6beb..e7e4f9b058 100644 --- a/doc/guide/admin/appendix-changes.sdf +++ b/doc/guide/admin/appendix-changes.sdf @@ -4,25 +4,157 @@ H1: Changes Since Previous Release -Nice intro here to praise everyones hard work! +The following sections attempt to summarize the new features and changes in OpenLDAP +software since the 2.3.x release and the OpenLDAP Admin Guide. H2: New Guide Sections -* Overlays -* Backends -* Tuning -* complete later......... +In order to make the Admin Guide more thorough and cover the majority of questions +asked on the OpenLDAP mailing lists and scenarios discussed there, we have added the following new sections: -H2: New Features in 2.4 +* {{SECT:When should I use LDAP?}} +* {{SECT:When should I not use LDAP?}} +* {{SECT:LDAP vs RDBMS}} +* {{SECT:Backends}} +* {{SECT:Overlays}} +* {{SECT:Replication}} +* {{SECT:Maintenance}} +* {{SECT:Monitoring}} +* {{SECT:Tuning}} +* {{SECT:Troubleshooting}} +* {{SECT:Changes Since Previous Release}} +* {{SECT:Configuration File Examples}} +* {{SECT:Glossary}} -Another nice intro here +Also, the table of contents is now 3 levels deep to ease navigation. -H3: More overlays + +H2: New Features and Enhancements in 2.4 + +H3: Better {{B:cn=config}} functionality + +There is a new slapd-config(5) manpage for the {{B:cn=config}} backend. The +original design called for auto-renaming of config entries when you insert or +delete entries with ordered names, but that was not implemented in 2.3. It is +now in 2.4. This means, e.g., if you have + +> olcDatabase={1}bdb,cn=config +> olcSuffix: dc=example,dc=com + +and you want to add a new subordinate, now you can ldapadd: + +> olcDatabase={1}bdb,cn=config +> olcSuffix: dc=foo,dc=example,dc=com + +This will insert a new BDB database in slot 1 and bump all following databases + down one, so the original BDB database will now be named: + +> olcDatabase={2}bdb,cn=config +> olcSuffix: dc=example,dc=com + +H3: Better {{B:cn=schema}} functionality + +In 2.3 you were only able to add new schema elements, not delete or modify +existing elements. In 2.4 you can modify schema at will. (Except for the +hardcoded system schema, of course.) + +H3: More sophisticated Syncrepl configurations + +The original implementation of Syncrepl in OpenLDAP 2.2 was intended to support +multiple consumers within the same database, but that feature never worked and +was removed from OpenLDAP 2.3; you could only configure a single consumer in +any database. + +In 2.4 you can configure multiple consumers in a single database. The configuration +possibilities here are quite complex and numerous. You can configure consumers +over arbitrary subtrees of a database (disjoint or overlapping). Any portion +of the database may in turn be provided to other consumers using the Syncprov +overlay. The Syncprov overlay works with any number of consumers over a single +database or over arbitrarily many glued databases. + +H3: N-Way Multimaster Replication + +As a consequence of the work to support multiple consumer contexts, the syncrepl +system now supports full N-Way multimaster replication with entry-level conflict +resolution. There are some important constraints, of course: In order to maintain +consistent results across all servers, you must maintain tightly synchronized +clocks across all participating servers (e.g., you must use NTP on all servers). + +The entryCSNs used for replication now record timestamps with microsecond resolution, +instead of just seconds. The delta-syncrepl code has not been updated to support +multimaster usage yet, that will come later in the 2.4 cycle. + +H3: Replicating {{slapd}} Configuration (syncrepl and {{B:cn=config}}) + +Syncrepl was explicitly disabled on cn=config in 2.3. It is now fully supported +in 2.4; you can use syncrepl to replicate an entire server configuration from +one server to arbitrarily many other servers. It's possible to clone an entire +running slapd using just a small (less than 10 lines) seed configuration, or +you can just replicate the schema subtrees, etc. Tests 049 and 050 in the test +suite provide working examples of these capabilities. + + +H3: Push-Mode Replication + +In 2.3 you could configure syncrepl as a full push-mode replicator by using it +in conjunction with a back-ldap pointed at the target server. But because the +back-ldap database needs to have a suffix corresponding to the target's suffix, +you could only configure one instance per slapd. + +In 2.4 you can define a database to be "hidden", which means that its suffix is +ignored when checking for name collisions, and the database will never be used +to answer requests received by the frontend. Using this "hidden" database feature +allows you to configure multiple databases with the same suffix, allowing you to +set up multiple back-ldap instances for pushing replication of a single database +to multiple targets. There may be other uses for hidden databases as well (e.g., +using a syncrepl consumer to maintain a *local* mirror of a database on a separate filesystem). + + +H3: More extensive TLS configuration control + +In 2.3, the TLS configuration in slapd was only used by the slapd listeners. For +outbound connections used by e.g. back-ldap or syncrepl their TLS parameters came +from the system's ldap.conf file. + +In 2.4 all of these sessions inherit their settings from the main slapd configuration, +but settings can be individually overridden on a per-config-item basis. This is +particularly helpful if you use certificate-based authentication and need to use a +different client certificate for different destinations. + + +H3: Performance enhancements + +Too many to list. Some notable changes - ldapadd used to be a couple of orders +of magnitude slower than "slapadd -q". It's now at worst only about half the +speed of slapadd -q. Some comparisons of all the 2.x OpenLDAP releases are available +at {{URL:http://www.highlandsun.com/hyc/scale2007.pdf}} + +That compared 2.0.27, 2.1.30, 2.2.30, 2.3.33, and HEAD). Toward the latter end +of the "Cached Search Performance" chart it gets hard to see the difference +because the run times are so small, but the new code is about 25% faster than 2.3, +which was about 20% faster than 2.2, which was about 100% faster than 2.1, which +was about 100% faster than 2.0, in that particular search scenario. That test +basically searched a 1.3GB DB of 380836 entries (all in the slapd entry cache) +in under 1 second. i.e., on a 2.4GHz CPU with DDR400 ECC/Registered RAM we can +search over 500 thousand entries per second. The search was on an unindexed +attribute using a filter that would not match any entry, forcing slapd to examine +every entry in the DB, testing the filter for a match. + +Essentially the slapd entry cache in back-bdb/back-hdb is so efficient the search +processing time is almost invisible; the runtime is limited only by the memory +bandwidth of the machine. (The search data rate corresponds to about 3.5GB/sec; +the memory bandwidth on the machine is only about 4GB/sec due to ECC and register latency.) + +No other Directory Server in the world is this fast or this efficient. Couple +that with the scalability, manageability, flexibility, and just the sheer +know-how behind this software, and nothing else is even remotely comparable. + +H3: New overlays * slapo-dds (Dynamic Directory Services, RFC 2589) * slapo-memberof (reverse group membership maintenance) -H3: New features in existing ones +H3: New features in existing Overlays * slapo-pcache allows cache inspection/maintenance/hot restart * slapo-rwm can safely interoperate with other overlays @@ -52,3 +184,6 @@ H3: New build options H2: Obsolete Features in 2.4 H3: Slurpd + +Please read the {{SECT:Replication}} section as to why this is no longer in +OpenLDAP diff --git a/doc/guide/admin/aspell.en.pws b/doc/guide/admin/aspell.en.pws index a35336ce7a..5722d18c6f 100644 --- a/doc/guide/admin/aspell.en.pws +++ b/doc/guide/admin/aspell.en.pws @@ -1,4 +1,4 @@ -personal_ws-1.1 en 1394 +personal_ws-1.1 en 1404 nattrsets inappropriateAuthentication api @@ -8,8 +8,8 @@ reqEnd olcOverlayConfig shoesize olcTLSCACertificateFile -CGI cdx +CGI DCE DAP attributename @@ -20,8 +20,8 @@ kurt authzID authzid authzId -DAs ddd +DAs userApplications BNF attrs @@ -32,14 +32,16 @@ ldapport hallvard ASN acknowledgements -Chu ava +Chu monitorCounter del +DDR testObject OrgPerson IGJlZ olcUpdateref +ECC deleteDN cli ltdl @@ -82,13 +84,13 @@ olcModulePath maxentries authc seeAlso -searchbase searchBase +searchbase realnamingcontext -dn's -DNs -DN's dns +DN's +DNs +dn's dereference sortKey authzTo @@ -153,8 +155,8 @@ INADDR compareDN sizelimit unixODBC -APIs blen +APIs attrsOnly attrsonly slappasswd @@ -231,8 +233,8 @@ pwdExpireWarning localstatedir sockbuf PENs -ipv IPv +ipv ghenry hyc multimaster @@ -265,8 +267,8 @@ intermediateResponse myOID structuralObjectClass integerMatch -openldap OpenLDAP +openldap moddn rewriteEngine AVAs @@ -274,8 +276,8 @@ accesslog searchDN reqOld MDn -TLSCACertificateFile aspell +TLSCACertificateFile mem peername syncUUIDs @@ -285,8 +287,8 @@ bool logins jts memberAttr -newpasswdfile newPasswdFile +newpasswdfile ucdata LLL confdir @@ -313,8 +315,8 @@ caseExactMatch olcSizeLimit Bourne attr -objectidentifier objectIdentifier +objectidentifier refint msgtype OBJEXT @@ -364,8 +366,8 @@ Autoconf alloc PDU OLF -inetorgperson inetOrgPerson +inetorgperson deleteoldrdn monitorCounterObject pid @@ -379,6 +381,7 @@ xeXBkeFxlZ accessor's extendedop ple +NTP reqSizeLimit ORed NUL @@ -421,9 +424,9 @@ OTP entrylimit attrdescN logold -pos -sbi PRD +sbi +pos reqEntries pre bvals @@ -438,6 +441,7 @@ referralDN sed statslog perror +ldapexop bvecadd distributedOperation sel @@ -474,8 +478,8 @@ typedef olcDbIDLcacheSize ostring mwrscdx -SMD UCD +SMD cancelled crit lucyB @@ -486,8 +490,8 @@ TGT modulepath quickstart mySNMP -tgz UDP +tgz RDBMs rdbms Matic @@ -506,9 +510,9 @@ olcDbConfig refreshDone ssf replogfile -rwm -TOC vec +TOC +rwm LDAPDN compareAttrDN endmacro @@ -516,15 +520,15 @@ tls repl monitoringslapd referralsp -tmp SRP +tmp olcDbNosync conns SSL PDkzODdASFxOQ SRV -rwx sss +rwx deallocators Contribware URLlist @@ -638,11 +642,11 @@ groupstyle ldapsearch cp displayName -eg bv +eg olcBackendConfig -dn fd +dn LDAPSync fG fi @@ -724,8 +728,8 @@ sn ru UG ss -su TP +su reqMethod XLIBS PhotoObject @@ -742,8 +746,8 @@ xf param MChAODQ caseExactIA -Vu Za +Vu idlecachesize ws errSleepTime @@ -762,6 +766,7 @@ subord reqVersion errp ZZ +entryCSNs dlopen continuated newSuperior @@ -781,6 +786,7 @@ fqdn authPassword LDAPMatchingRule olcIdleTimeout +treedelete auditAdd reqSession derated @@ -834,6 +840,7 @@ ldapmodrdn ldapbis attributeoptions serverID +memberof pseudorootpw CFLAGS substr @@ -850,8 +857,8 @@ modifyAttrDN dcedn olcOverlay exop -berelement BerElement +berelement olcRootDN octetString SampleLDAP @@ -860,10 +867,11 @@ PostgreSQL bvstr filesystem pathtest -objectClass objectclass +objectClass submatches newrdn +armijo addBlanks reqMessage exts @@ -874,8 +882,8 @@ modifyDN syncuser Masarati LDAPSyntax -oldpasswdfile oldPasswdFile +oldpasswdfile reqDN SSFs ietf @@ -897,8 +905,8 @@ reqId setspec scanf TLSv -distinguishedname distinguishedName +distinguishedname BerVarray caseIgnoreSubstrin ldapwhoami @@ -925,10 +933,11 @@ slaptest zeilenga WebUpdate numericoid -changelog ChangeLog +changelog creatorsName ascii +wahl uniqueMember slapcat lwrap @@ -952,10 +961,10 @@ schemadir attribute's extern varchar -olcDbCacheSize olcDbCachesize -authcid +olcDbCacheSize authcID +authcid POSIX hnPk ldapext @@ -974,8 +983,8 @@ reqStart sasldb somevalue LIBRELEASE -starttls StartTLS +starttls LDAPSchemaExtensionItem reqReferral shtool @@ -986,8 +995,8 @@ portnumber subjectAltName errObject valsort -bervals berval's +bervals derefFindingBaseObj checkpointed keytab @@ -1008,8 +1017,8 @@ README memcalloc inet saslargs -givenname givenName +givenname olcDbMode pidfile olcLimits @@ -1017,8 +1026,8 @@ memvfree tuple superset directoryString -proxyTemplate proxytemplate +proxyTemplate wildcards monitoredObject TTLs @@ -1031,8 +1040,8 @@ bvalues reqResult impl outvalue -returnCode returncode +returnCode attributeDescription attrval dnssrv @@ -1054,20 +1063,20 @@ uncached ldapapiinfo groupOfUniqueNames dhparam -slapd's slapds +slapd's inputfile RDBMSes wildcard Locator -errAbsObject errABsObject +errAbsObject SASL's html searchResultDone olcBdbConfig -ldapmod LDAPMod +ldapmod olcHidden userPassword TLSRandFile @@ -1094,10 +1103,10 @@ cacertdir queryid Warper XDEFS -urls URL's -postalAddress +urls postaladdress +postalAddress passwd plugins george @@ -1111,16 +1120,16 @@ ursula LDAPModifying slapdconfig dnSubtreeMatch -olcSaslSecProps olcSaslSecprops +olcSaslSecProps auditModify groupOfNames jensen reloadHint prepending olcGlobal -matchingRule matchingrule +matchingRule SmVuc MSSQL hostnames @@ -1134,9 +1143,9 @@ whsp realusers dnstyle suffixalias -proxyAttrset -proxyAttrSet proxyattrset +proxyAttrSet +proxyAttrset pwdMustChange ldif bvfree @@ -1147,8 +1156,8 @@ pwdAttribute PRNGD LDAPRDN entryUUIDs -proxycache proxyCache +proxycache SERATGCgaGBYWGDEjJR noanonymous accessee @@ -1200,8 +1209,8 @@ passwdfile errMatchedDN everytime mkdep -olcDbindex olcDbIndex +olcDbindex syntaxOID reqData databasetype @@ -1248,8 +1257,8 @@ bitstring ACLs berptr olcModuleLoad -attributetype attributeType +attributetype auditModRDN cacert freebuf @@ -1299,22 +1308,23 @@ preallocated syntaxes memberURL monitorRuntimeConfig -bindDn -bindDN binddn +bindDN +bindDn methodp timelimitExceeded pwdInHistory LTSTATIC -requestors requestor's +requestors LDAPCONF saslauthd MKDEPFLAG gecos entryUUID -gnutls +GnuTLS GNUtls +gnutls postread timeval DHAVE @@ -1335,8 +1345,8 @@ entryTtl LDAPControl pwdMinLength ldapcompare -readonly readOnly +readonly RANDFILE attrlist aci @@ -1360,8 +1370,8 @@ userid Kumar AES bdb -manageDSAit ManageDsaIT +manageDSAit bindpw monitorContainer pEntry @@ -1372,8 +1382,8 @@ objectIdentifierMatch Blowfish mkln numericStringSubstringsMatch -openssl OpenSSL +openssl ModName cacheable freeit @@ -1382,8 +1392,8 @@ ber ali mandir changetype -CAs CA's +CAs typeA bvecfree ODBC -- 2.39.5