Change location where LDAP data is stored

ldap centos7 openldap
5,822

Solution 1

I used to move the default database of openldap after each new setup.

The steps I do when I want to move a database :

  • Stop slapd
sudo service slapd stop
  • slapcat the content of the cn=config branch in a LDIF file
sudo slapcat -b cn=config > /tmp/config.ldif
  • Copy the /var/lib/ldap directory wherever you want it
  • Make sure the user openldap owns the new directory and all the files inside
  • Edit the previously exported LDIF to modify the olcDbDirectory to the new location
  • Import the LDIF (Make sure the /etc/ldap/slapd.d is empty before doing this)
sudo rm -r /etc/ldap/slapd.d/*
sudo slapadd -F /etc/ldap/slapd.d -b cn=config -l /tmp/config.ldif
  • Make sure the /etc/ldap/slapd.d and all its content is owned by openldap
sudo chown -R openldap:openldap /etc/ldap/slapd.d/
  • Edit needed configuration to allow Slapd to use this new database directory

For example, with apparmor, edit the file /etc/apparmor.d/usr.sbin.slapd and add the following lines:

/path/to/new/db/ r,
/path/to/new/db/** rwk,
  • Restart apparmor and slapd
sudo service apparmor restart
sudo service slapd start

Usually it does the trick. It's also how I backup the configuration of my openldap instances.

Solution 2

I read your question in two parts:

  1. You want to have the OS be read-only while preserving write access to the LDAP data
  2. As a solution for #1, you propose storing the LDAP data in a location other than /var/lib/ldap

While I suspect #2 is possible, I don't have enough direct experience with OpenLDAP to address that directly. What I can do is suggest an alternative solution for #1. It's trivial to mount a difference disk partion at /var/lib/ldap, both through the mount command and through fstab. This should effectively accomplish your goal, whether or not OpenLDAP handles this natively. You might also be able to replace the /var/lib/ldap folder with a symlink to the desired location. Again, this bypasses OpenLDAP and any support that is or is not built into that project.

Finally, you should also think about preserving write access for certain log areas. The techniques in the paragraph above can work for moving log file locations, too.

Solution 3

I've done this successfully and used it in AWS to retain my data when I have to refresh the machine image. If you've rebuilt OpenLDAP with the

slaptest -f slapd.conf -F slapd.d

command (yes, we're still using the old way of config, but running it with slapd.d —I'm working on it) then really all you have to do is modify the directory location in the database configuration section of slapd.conf

directory /data/ldap

Create the DB_CONFIG file (chown to ldap:ldap) in /data/ldap because LDAP will yell if it's not there.

Once you run the slaptest command (slaptest -f slapd.conf -F slapd.d), your DB will be created there.
You'll probably need to chown -R ldap:ldap /data and /etc/openldap once you're done with the slaptest commmand.

If this is successful your DB or DBs will be located in /data/ldap

Save your slapd.conf file on your external partition so you can import it back when you set up another server.

When you need to spin up another server, import the slapd.conf file and run the slaptest command. You'll have to chown -R ldap:ldap to /data and /etc/openldap again, but when you start openldap, it should pick up the DBs on the external partition.

This is a solution in flux right now, but it's serving us well in standing up OpenLDAP in the cloud. We will obviously streamline this awkward process. We'll script all the things, maybe move /etc/openldap to a symlinked external drive, and modify the slapd.d with ldifs only instead of relying on the deprecated slapd.conf, but for now it's working fine.

Share:
5,822

Related videos on Youtube

hededo
Author by

hededo

Hello

Updated on September 18, 2022

Comments

  • hededo
    hededo almost 2 years

    I'm running an openLDAP server version 2.4.40 on CentOS 7. LDAP is going to be configured using online conf option (olc). Thanks to this question, I know that slapd's database files are in /var/lib/ldap.

    I'm trying to run an openLDAP server on a linux box as read-only OS partition and another partition for persistent data. I will be able to install and configure openLDAP on the OS partition, but will lose access to it after configuring it.

    Question: Is it possible to change the location LDAP reads/writes data from /var/lib/ldap to somewhere on the persistent data partition?

  • hededo
    hededo about 7 years
    I think your suggestion to mount the locations where data and logs are stored to some other directories on the data partition could work. I'm currently investigating where logs are stored and if I can configure the location where files are stored.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

LDAP user authentication on CentOS 7: Permission denied
Setting Up multiple domain in LDAP server
Installation OpenLDAP on CentOS 7
What are the other alternative to test a LDAP connection on linux machine
inetOrgPerson with member or memberOf?
Nested Group LDAP Search Filter
How to add rights to an user with olcAccess, in an OpenLDAP 2.4
I need to find out disabled users from ldap
Is there an LDAP standard group membership attribute for users?
Decrypting OpenLDAP passwords