Change BaseDN in OpenLDAP
Solution 1
OK, I solved it myself. Here is how I migrated the current LDAP database to a new domain:
- Export the old LDAP database to ldif file.
- Delete the old databaes
- Create a new LDAP database with new domain name
- Modify the exported ldif file above to fit the new domain (the root dn)
- Import the modified ldif file into the new database
Assuming I have a new domain name, dc=my,dc=new,dc=ldap,dc=domain, and I want to move all of the existing LDAP data to the new one.
I did the following steps
-
Backup the old LDAP database
# slapcat -v -l old_ldap.ldif
-
Stop the OpenLDAP server
# service slapd stop
-
Delete old LDAP database
# cd /var/lib/ldap # rm -rf *
-
Make sure LDAP is not running
# nano /var/lib/ldap/DB_CONFIG
NOTE: add these following lines and save
#DB_CONFIG set_cachesize 0 150000000 1 set_lg_regionmax 262144 set_lg_bsize 2097152 set_flags DB_LOG_AUTOREMOVE
-
Change the current LDAP settings in the following files
-
/etc/ldapscripts/ldapscripts.conf
... SERVER="ldap://localhost" BINDDN="cn=admin,dc=my,dc=new,dc=ldap,dc=domain" BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" ...
-
/etc/ldap/slapd.d/cn=config/olcDatabase\={1}hdb.ldif
... olcSuffix: dc=my,dc=new,dc=ldap,dc=domain olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=my,dc=new,dc=ldap,dc=domain" write by * none olcAccess: {2}to * by self write by dn="cn=admin,dc=my,dc=new,dc=ldap,dc=domain" write by * read olcRootDN: cn=admin,dc=my,dc=new,dc=ldap,dc=domain olcRootPW: <new administrator password> ...
-
-
Prepare the new LDAP Directory structure, data,
new_ldap.ldif
, (or modify theold_ldap.ldif
with the new dn)# Root dn: dc=my,dc=new,dc=ldap,dc=domain description: New LDAP BaseDN dc: parent o: parent.my.new.ldap.domain objectClass: top objectClass: dcObject objectClass: organization structuralObjectClass: organization # administrator dn: cn=admin,dc=my,dc=new,dc=ldap,dc=domain objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: <new administrator password> structuralObjectClass: organizationalRole # Subtree for Users dn: ou=Users,dc=my,dc=new,dc=ldap,dc=domain ou: Users description: Parent Ldap Users objectClass: organizationalUnit objectClass: top structuralObjectClass: organizationalUnit # Subtree for Groups dn: ou=Groups,dc=my,dc=new,dc=ldap,dc=domain ou: Groups description: Parent LDAP Groups objectClass: organizationalUnit objectClass: top structuralObjectClass: organizationalUnit ...
-
Test the new ldif
# slapadd -b "dc=my,dc=new,dc=ldap,dc=domain" -v -u -l new_ldap.ldif
NOTE: the
-u
means run the command in test mode
If everything's OK, the output will look something like:
added: "dc=my,dc=new,dc=ldap,dc=domain"
added: "cn=admin,dc=my,dc=new,dc=ldap,dc=domain"
added: "ou=Users,dc=my,dc=new,dc=ldap,dc=domain"
added: "ou=Groups,dc=my,dc=new,dc=ldap,dc=domain"
_#################### 100.00% eta none elapsed none fast!
-
Add the new LDAP data to the server
# slapadd -b "dc=my,dc=new,dc=ldap,dc=domain" -v -l new_ldap.ldif
You can check for updates in my blog post about this issue: http://iambusychangingtheworld.blogspot.com/2013/10/ldap-create-new-ldap-directory.html
Solution 2
Very useful guide! For future reference, I found that: After modification of point 5b, the test (as described in point 7), will report a failing crc32 value (the checksum is located on line 2 of that same file);
Edit 06/2/2018: As per suggestion of PF4Public, You might be able to remove those lines as a whole.
In any other case: And you will have to generate a new crc32 (I am using Debian Jessy, your path might be different)
Fast route:
tail -n +3 /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}mdb.ldif
and pasting the result inside an online crc32 calculator. The calculated crc32 value replaces the old value of located on line 2 of the mdb.ldif.
The slow/thorough route is described here: https://gist.github.com/Shaltz/1d65a07a0901a36fb7f1
After adding the new_ldap.ldif make sure the openldap user has rights on the generated database.
chown -R openldap:openldap /var/lib/ldap
Solution 3
Just to combine Trinh Nguyen and R.J.'s anwers and omitting what was needed for a clean Ubuntu 20.04 installation:
Backup database to editable ldif file:
sudo slapcat -v -l ldap.ldif
Edit ldap.ldif
to change root dn.
Stop slapd, remove old ldap database and create a new one based on the edited ldif, chown:
sudo service slapd stop
sudo rm /var/lib/ldap/*
sudo slapadd -b "dc=new_root_name" -v -l ldap.ldif
sudo chown -R openldap:openldap /var/lib/ldap
Edit /etc/ldap.conf
and /etc/ldap/slapd.d/cn=config/olcDatabase\={1}mdb.ldif
to match admin dn. And start the server again:
sudo service slapd start
Trinh Nguyen
OpenEdX Consultant, SysAdmin and Full-stack Developer. #SOreadytohelp
Updated on August 05, 2022Comments
-
Trinh Nguyen almost 2 years
I was trying to rename my OpenLDAP's baseDN
from:
dc=abc,dc=com
to:
dc=xyz,dc=edu
I did modify some conf files:
/etc/ldap/slapd.d/cn\=config/olcDatabase={1}hdb.ldif
/etc/ldapscripts/ldapscripts.conf
and the configuration of phpLDAPadmin:
- config.php
to the new root dn
But after I restarted the slapd and lighttpd services, even though I could login to the admin interface of phpLDAPAdmin (admin binddn), but I was not able to do anything.
I also tried to run some ldap command lines but it didn't work.
What else do I have to do? Or anything wrong with my method?
-
user207421 about 7 yearsNote that the JXplorer tool will either export or import the LDIF with a re-based BaseDN, but unfortunately it doesn't apply that change to DN-valued attributes.
-
PF4Public over 6 yearsHave you tried deleting those two lines? It is enough just to delete them.
-
R.J. over 6 yearsThat is an even better suggestion!!, Put your suggestion first!