S 4.390 Secure updating of OpenLDAP

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

OpenLDAP is constantly developed further by the OpenLDAP developers. Thus, it is useful, and in the event of software weaknesses even necessary, to replace the existing OpenLDAP installation by a newer version.

Monitoring new versions

Using the "openldap-announce" mailing list (http://www.openldap.org/lists/openldap-announce), the OpenLDAP developers provide information on all new releases and changes to the stable release (release notes). Administrators should subscribe to this mailing list and read the messages carefully. Unless security gaps are reported or a new release of a function valuable for the user has been introduced, there is no need to promptly install newly published releases. If a newer version than the version used is declared a stable release, it is recommended to schedule the update of OpenLDAP for the next maintenance window. In the event of security-relevant changes, for example, eliminated weaknesses, OpenLDAP must be updated as quickly as possible.

If the existing OpenLDAP installation is to be updated, all relevant release notes must be checked to identify any changes to the existing OpenLDAP installation. Here, all release notes of versions published between the version used and the planned version are relevant in addition to the message directly associated with the planned version. Particular attention is to be paid to whether changes relate to the backends or overlays used as well as software dependencies. If this is the case, then the planning of OpenLDAP must be updated (see S 2.484 Planning OpenLDAP).

Performing the update

As part of the preparation, the installation packages for the planned OpenLDAP version must be downloaded and checked (see S 4.382 Selecting and checking the OpenLDAP installation packages). If binary packages of a distributor are used, they might also provide special update packages. Prior to the update, the slapd server must be stopped and a current data backup of the existing directory carried out (see S 6.150 Data backup when using OpenLDAP). After that, the new OpenLDAP version must be installed (see S 4.383 Secure installation of OpenLDAP). The new version can be installed in a new target directory so as to be able to return to the previously used version. The newly installed software must be configured; this is generally accomplished accepting the previous configuration from the data backup. After that, the configuration must be tested using "slaptest" and the access rights checked using slapacl before the slapd server is rebooted.

The following aspects must be taken into account within the framework of the OpenLDAP update:

• Administrators often use their own scripts to automate tasks in connection with OpenLDAP. If OpenLDAP is updated, such scripts must be checked and it must be determined if they function properly and without any problems together with the updated OpenLDAP version.
• Especially when different OpenLDAP versions are installed in parallel on an IT system, it is particularly important that always the slap* tools of the respective version are used. Any tests of the configuration and access rights must be performed using the "new" slaptest and slapacl versions and the data backup must be installed using the "new" slapadd.

Review questions:

• Are security-relevant OpenLDAP updates installed as quickly as possible?
• Are changed requirements for the backends or overlays used as well as software dependencies checked and taken into account when updating OpenLDAP?
• Are your own scripts used, if any, checked and is it determined whether they function properly together with the updated OpenLDAP version?
• Are the configuration and the access rights in OpenLDAP checked carefully following an update using the correct, i.e. the "new" tools?