How do I clone an OpenLDAP database

linux ldap redhat openldap

90,413

Solution 1

The problem with SourceRebels' answer is that slapcat(8) does not guarantee that the data is ordered for ldapadd(1)/ldapmodify(1).

From man slapcat (from OpenLDAP 2.3) :

The LDIF generated by this tool is suitable for use with slapadd(8).
As the entries are in database order, not superior first order, they
cannot be loaded with ldapadd(1) without first being reordered.

(FYI: In OpenLDAP 2.4 that section was rephrased and expanded.)

Plus using a tool that uses the backend files to dump the database and then using a tool that loads the ldif through the ldap protocol is not very consistent.

I'd suggest to use a combination of slapcat(8)/slapadd(8) OR ldapsearch(1)/ldapmodify(1). My preference would go to the latter as it does not need shell access to the ldap server or moving files around.

For example, dump database from a master server under dc=master,dc=com and load it in a backup server

$ ldapsearch -Wx -D "cn=admin_master,dc=master,dc=com" -b "dc=master,dc=com" -H ldap://my.master.host -LLL > ldap_dump-20100525-1.ldif
$ ldapadd -Wx -D "cn=admin_backup,dc=backup,dc=com" -H ldap://my.backup.host -f ldap_dump-20100525-1.ldif

The -W flag above prompts for ldap admin_master password however since we are redirecting output to a file you wont see the prompt - just an empty line. Go ahead and type your ldap admin_master password and enter and it will work. First line of your output file will need to be removed (Enter LDAP Password:) before running ldapadd.

Last hint, ldapadd(1) is a hard link to ldapmodify(1) with the -a (add) flag turned on.

Solution 2

ldapsearch and ldapadd are not necessarily the best tools to clone your LDAP DB. slapcat and slapadd are much better options.

Export your DB with slapcat:

slapcat > ldif

Import the DB with slapadd (make sure the LDAP server is stopped):

slapadd -l ldif

Solution 3

Some appointments:

Save your personalized schemas and objectclasses definitions on your new server. You can look for your included files at slapd.conf to obtain it, for example (this is a part of my slapd.conf):

include /etc/ldap/schema/core.schema
Include your personalized schemas and objectclasses in your new openLDAP installation.
Use slapcat command to export your full LDAP tree to a single/various ldif files.
Use ldapadd to import the ldif files on to your new LDAP installation.

Solution 4

I prefer copy the database through the protocol:

first of all be sure you have the same schemas on both servers.

dump the database with ldapsearch:

ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" > domain.ldif

and import it in the new server:

ldapmodify -Wx -D "cn=admin,dc=domain" -a -f domain.ldif

in one line:

ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" | ldapmodify -w pass -x -D "cn=admin,dc=domain" -a

By using the bin/ldap* commands you are talking directly with the server while using bin/slap* commands you are dealing with the backend files

Solution 5

(Not enough reputation to write a comment...)

Ldapsearch opens a connection to the LDAP server. Slapcat instead accesses the database directly, and this means that ACLs, time and size limits, and other byproducts of the LDAP connection are not evaluated, and hence will not alter the data. (Matt Butcher, "Mastering OpenLDAP")

View more solutions

90,413

Author by

elzapp

Developer at Vizrt. Experienced in PHP, Python, MySQL, HTML, CSS and Java.

Updated on July 09, 2022

Comments

elzapp almost 2 years

I know this is more like a serverfault question than a stackoverflow question, but since serverfault isn't up yet, here I go:

I'm supposed to move an application from one redhat server to another, and without very good knowledge of the internal workings of the application, how would I move the OpenLDAP database from the one machine to the other, with schemas and all.

What files would I need to copy over? I believe the setup is pretty standard.
elzapp about 15 years

Thanks... the problem was that I didn't remember the name of the tool (slapcat)
Garrett Hyde over 12 years

For newer versions of OpenLDAP, you'll need to use 'slapadd' instead of 'ldapadd'.
Andy Balaam over 12 years

-Wx didn't work for me when redirecting to a file. Replacing -Wx with -w <mypasswd> worked great.
sberder over 12 years

I don't like putting passwords on the command line because they usually end up in your shell history...
sberder almost 12 years

@HendyIrawan I think it's actually hard to do as we are talking of ordering the entries from a tree. In reality, most of the time slapcat / ldapadd will work if your tree is simple but it's safer to use the ldapsearch / ldapadd couple. TLDR; Why reorder what doesn't need to be?
poussma over 11 years

One issue with the slapsearch is that it will not dump technical attributes such as the password history, last password update date, ... all those stuffs that are needed by the ppolicy layer. I assume there are others attributes you should backup and that won't.
Ketema over 11 years

I'm interested in how to "be sure you have the same schemas on both servers". I'm tasked with moving an existing LDAP to a new server and have never used openLdap before. How can I get the schema to mirror the old server so that the import succeeds ?
User007 over 11 years

+1 for the excellent answer. it helps me. with no change at all!
wmorse about 11 years

From the slapcat man page, "The output of slapcat is intended to be used as input to slapadd(8). The output of slapcat cannot generally be used as input to ldapadd(1) or other LDAP clients without first editing the output. This editing would normally include reordering the records into superior first order and removing no-user-modification operational attributes." -- In other words, it is potentially a lot of work to use ldapadd because of operational metadata, whereas slapadd will ignore the operational metadata.
Xaver Kapeller about 10 years

Try to give a more detailed answer. Otherwise your answer might be better suited to be a comment.
Xaver Kapeller about 10 years

Well there is a reason for that requirement and answering instead of commenting just because one doesn't have the privilege yet is rather frowned upon.
elzapp about 10 years

"I don't like putting passwords on the command line because they usually end up in your shell history" - just add a space in front of the command, and it won't be added to history.
Ralf over 9 years

@wmorse slapadd will not ignore operational metadata but load it as it is contained in the ldif produced by slapcat. This is important if you have processes like replication, etc. that rely on operational attributes like the entryUUIDs to stay the same.
mivk over 8 years

For the password, the alternative to -W or -w mypassword is -y passwordfile. Make the password file only readable by root.
2015evanotes over 2 years

Those two commands can import and export user password , too??