##(see the SpecSpec for an explanation)

 * '''Launchpad Entry''': UbuntuSpec:openldap-cnconfig-migration
 * '''Progress''': [[/Status|beta]]
== Summary ==

OpenLDAP version 2.3 introduced a special DIT called cn=config that can be used to replace the slapd.conf file.

## This should provide an overview of the issue/functionality/change proposed here. Focus here on what will actually be DONE, summarising that so that other people don't have to read the whole spec. See also CategorySpec for examples.

== Release Note ==

## This section should include a paragraph describing the end-user impact of this change.  It is meant to be included in the release notes of the first release in which it is implemented.  (Not all of these will actually be included in the release notes, at the release manager's discretion; but writing them is a useful exercise.)

## It is mandatory.

== Rationale ==

## This should cover the _why_: why is this change being proposed, what justifies it, where we see this justified.

slapd.conf has certain drawbacks: adding schema files creating new databases requires editing slapd.conf. Future version of openldap will drop support of slapd.conf.

cn=config enables programatic access to slapd configuration, such as loading additional schemas.

== Use Cases ==
 * Chris install the slapd package and can use the new cn=config tree to manage his LDAP tree using standard LDAP command tools.
 * Don upgrades his LDAP directory and can use LDAP queries and updates to change the ACLs of object in the directory.
 * Erwan installs an application that uses an ldap schema. After installing, the new features are automatically available in the LDAP directory. 

== Design ==

## You can have subsections that better describe specific parts of the issue.
The new configuration backend in explained in the OpenLDAP administrator Guide: http://www.openldap.org/doc/admin24/slapdconf2.html

== Implementation ==

## This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like:

=== cn=config migration ===

==== update common functions in slapd.scripts-common to support cn=config ====

slapd.scripts-common has functions that scan and extract information from slapd.conf. These functions should be modified to support cn=config as a backend (instead of slapd.conf).

slapd.scripts-common will also be shipped as part of the slapd package and standalone script to perform standard directory configuration actions will be built on them. These scripts can then be used by other packages or people to load schemas, modules, overlays or any other common configuration modification.

==== new installation ====

new installation will enable cn=config by default. slapd.scripts-common functions responsible for generating a new configuration will have to be updated to create slapd.d/ and set the correct option in cn=config.

==== upgrades ====

On upgrade, the postinst script will try convert slapd.conf to cn=config:
 1. Enable the config database using rootdn="cn=admin,cn=config". The password will either be extracted from the existing database or the user will be prompted to enter a new one.
 2. Convert slapd.conf using slapd -f and -F options.
 3. Rename the old slapd.conf to slapd.conf.bak and update /etc/default/slapd to use the new cn=config backend.

[[http://www.zytrax.com/books/ldap/ch6/slapd-config.html|Chapter 6: OpenLDAP using cn=config - Converting to use cn=config]]

==== rootdn password handling for cn=config ====

The main advantage to migrate to the cn=config backend is to be able to modify the slapd configuration dynamically using ldap{modify,add} utilities and ldif files. In order to be able to access the cn=config tree, the ldap* commands have to be authenticated and authorized by slapd. 

cn=config needs to have a rootdn and a rootpw set. The following rootdn will be used by default : cn=admin,cn=config. The corresponding rootpw will be asked on upgrade. New installation will use the same rootpw as the one asked during the installation of the first database.

The slap* utilities ask the rootdn password whenever they need to make a change to the slapd configuration.


Here is an overview of the upgrade logic:

{{attachment:SlapdUpgradeProcedure.png}}

== Outstanding Issues ==

## This should highlight any issues that should be addressed in further specifications, and not problems with the specification itself; since any specification with problems cannot be approved.

== BoF agenda and discussion ==

## Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarising what was discussed and note any options that were rejected.

----
CategorySpec