How do I clone an OpenLDAP database

Question

I know this is more like a serverfault question than a stackoverflow question, but since serverfault isn't up yet, here I go:

I'm supposed to move an application from one redhat server to another, and without very good knowledge of the internal workings of the application, how would I move the OpenLDAP database from the one machine to the other, with schemas and all.

What files would I need to copy over? I believe the setup is pretty standard.

score 49 · Accepted Answer · edited Jun 23 '22 at 08:33

49

The problem with SourceRebels' answer is that slapcat(8) does not guarantee that the data is ordered for ldapadd(1)/ldapmodify(1).

From man slapcat (from OpenLDAP 2.3) :

The LDIF generated by this tool is suitable for use with slapadd(8).
As the entries are in database order, not superior first order, they
cannot be loaded with ldapadd(1) without first being reordered.

(FYI: In OpenLDAP 2.4 that section was rephrased and expanded.)

Plus using a tool that uses the backend files to dump the database and then using a tool that loads the ldif through the ldap protocol is not very consistent.

I'd suggest to use a combination of slapcat(8)/slapadd(8) OR ldapsearch(1)/ldapmodify(1). My preference would go to the latter as it does not need shell access to the ldap server or moving files around.

For example, dump database from a master server under dc=master,dc=com and load it in a backup server

$ ldapsearch -Wx -D "cn=admin_master,dc=master,dc=com" -b "dc=master,dc=com" -H ldap://my.master.host -LLL > ldap_dump-20100525-1.ldif
$ ldapadd -Wx -D "cn=admin_backup,dc=backup,dc=com" -H ldap://my.backup.host -f ldap_dump-20100525-1.ldif

The -W flag above prompts for ldap admin_master password however since we are redirecting output to a file you wont see the prompt - just an empty line. Go ahead and type your ldap admin_master password and enter and it will work. First line of your output file will need to be removed (Enter LDAP Password:) before running ldapadd.

Last hint, ldapadd(1) is a hard link to ldapmodify(1) with the -a (add) flag turned on.

edited Jun 23 '22 at 08:33

StackzOfZtuff

2,534
1
28
25

answered May 25 '10 at 05:08

sberder

4,505
2
26
15

2

-Wx didn't work for me when redirecting to a file. Replacing -Wx with -w worked great. – Andy Balaam Jan 23 '12 at 00:13
5

I don't like putting passwords on the command line because they usually end up in your shell history... – sberder Feb 07 '12 at 06:20
@HendyIrawan I think it's actually hard to do as we are talking of ordering the entries from a tree. In reality, most of the time slapcat / ldapadd will work if your tree is simple but it's safer to use the ldapsearch / ldapadd couple. **TLDR;** Why reorder what doesn't need to be? – sberder Jul 23 '12 at 09:52
One issue with the slapsearch is that it will not dump technical attributes such as the password history, last password update date, ... all those stuffs that are needed by the ppolicy layer. I assume there are others attributes you should backup and that won't. – poussma Oct 25 '12 at 08:21
+1 for the excellent answer. it helps me. with no change at all! – User007 Feb 05 '13 at 04:26
"I don't like putting passwords on the command line because they usually end up in your shell history" - just add a space in front of the command, and it won't be added to history. – elzapp May 06 '14 at 08:47
For the password, the alternative to `-W` or `-w mypassword` is `-y passwordfile`. Make the password file only readable by root. – mivk Nov 29 '15 at 14:56

score 21 · Answer 2 · answered Jul 23 '10 at 01:41

21

ldapsearch and ldapadd are not necessarily the best tools to clone your LDAP DB. slapcat and slapadd are much better options.

Export your DB with slapcat:

slapcat > ldif

Import the DB with slapadd (make sure the LDAP server is stopped):

slapadd -l ldif

answered Jul 23 '10 at 01:41

Joel

696
1
7
12

1

From the slapcat man page, "The output of slapcat is intended to be used as input to slapadd(8). The output of slapcat cannot generally be used as input to ldapadd(1) or other LDAP clients without first editing the output. This editing would normally include reordering the records into superior first order and removing no-user-modification operational attributes." -- In other words, it is potentially a lot of work to use ldapadd because of operational metadata, whereas slapadd will ignore the operational metadata. – wmorse May 11 '13 at 01:34
@wmorse slapadd will not ignore operational metadata but load it as it is contained in the ldif produced by slapcat. This is important if you have processes like replication, etc. that rely on operational attributes like the entryUUIDs to stay the same. – Ralf Sep 26 '14 at 13:09
Those two commands can import and export user password , too?? – 2015evanotes Dec 06 '21 at 09:22

score 10 · Answer 3 · edited Feb 22 '18 at 15:05

10

Some appointments:

Save your personalized schemas and objectclasses definitions on your new server. You can look for your included files at slapd.conf to obtain it, for example (this is a part of my slapd.conf):

include /etc/ldap/schema/core.schema
Include your personalized schemas and objectclasses in your new openLDAP installation.
Use slapcat command to export your full LDAP tree to a single/various ldif files.
Use ldapadd to import the ldif files on to your new LDAP installation.

edited Feb 22 '18 at 15:05

Archmede

1,592
2
20
37

answered Apr 27 '09 at 09:36

sourcerebels

5,140
1
32
52

Thanks... the problem was that I didn't remember the name of the tool (slapcat) – elzapp Apr 27 '09 at 10:35
2

For newer versions of OpenLDAP, you'll need to use 'slapadd' instead of 'ldapadd'. – Garrett Hyde Nov 02 '11 at 23:07

score 8 · Answer 4 · edited Jun 23 '22 at 08:24

8

I prefer copy the database through the protocol:

first of all be sure you have the same schemas on both servers.

dump the database with ldapsearch:

ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" > domain.ldif

and import it in the new server:

ldapmodify -Wx -D "cn=admin,dc=domain" -a -f domain.ldif

in one line:

ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" | ldapmodify -w pass -x -D "cn=admin,dc=domain" -a

By using the bin/ldap* commands you are talking directly with the server while using bin/slap* commands you are dealing with the backend files

edited Jun 23 '22 at 08:24

StackzOfZtuff

2,534
1
28
25

answered May 19 '09 at 13:12

Vish

91
1

3

I'm interested in how to "be sure you have the same schemas on both servers". I'm tasked with moving an existing LDAP to a new server and have never used openLdap before. How can I get the schema to mirror the old server so that the import succeeds ? – Ketema Dec 31 '12 at 22:01

O.Colombo · Answer 5 · 2014-04-30T13:55:43.807

3

(Not enough reputation to write a comment...)

Ldapsearch opens a connection to the LDAP server. Slapcat instead accesses the database directly, and this means that ACLs, time and size limits, and other byproducts of the LDAP connection are not evaluated, and hence will not alter the data. (Matt Butcher, "Mastering OpenLDAP")

edited Apr 30 '14 at 13:55

answered Apr 30 '14 at 13:23

O.Colombo

31
3

Try to give a more detailed answer. Otherwise your answer might be better suited to be a comment. – Xaver Kapeller Apr 30 '14 at 13:41
Well there is a reason for that requirement and answering instead of commenting just because one doesn't have the privilege yet is rather frowned upon. – Xaver Kapeller Apr 30 '14 at 13:54

score 2 · Answer 6 · edited Jun 09 '13 at 15:56

2

Thanks, Vish. Worked like a charm! I edited the command:

ldapsearch -z max -LLL -Wx -D "cn=Manager,dc=domain,dc=fr" -b "dc=domain,dc=fr" >/tmp/save.ldif

ldapmodify -c -Wx -D "cn=Manager,dc=domain,dc=fr" -a -f /tmp/save.ldif

Just added the -z max to avoid the size limitation and the -c to go on even if the target domain already exists (my case).

edited Jun 09 '13 at 15:56

Mohannad A. Hassan

1,650
1
13
24

answered Jun 09 '13 at 15:33

Natan

21
1

How do I clone an OpenLDAP database

6 Answers6

Linked