How do I clone an OpenLDAP database

Asked 27/4, 2009 at 7:51 Answered 30/4, 2014 at 13:23

I know this is more like a serverfault question than a stackoverflow question, but since serverfault isn't up yet, here I go:

I'm supposed to move an application from one redhat server to another, and without very good knowledge of the internal workings of the application, how would I move the OpenLDAP database from the one machine to the other, with schemas and all.

What files would I need to copy over? I believe the setup is pretty standard.

Revalue answered 27/4, 2009 at 7:51 Comment(0)

The problem with SourceRebels' answer is that slapcat(8) does not guarantee that the data is ordered for ldapadd(1)/ldapmodify(1).

From man slapcat (from OpenLDAP 2.3) :

The LDIF generated by this tool is suitable for use with slapadd(8).
As the entries are in database order, not superior first order, they
cannot be loaded with ldapadd(1) without first being reordered.

(FYI: In OpenLDAP 2.4 that section was rephrased and expanded.)

Plus using a tool that uses the backend files to dump the database and then using a tool that loads the ldif through the ldap protocol is not very consistent.

I'd suggest to use a combination of slapcat(8)/slapadd(8) OR ldapsearch(1)/ldapmodify(1). My preference would go to the latter as it does not need shell access to the ldap server or moving files around.

For example, dump database from a master server under dc=master,dc=com and load it in a backup server

$ ldapsearch -Wx -D "cn=admin_master,dc=master,dc=com" -b "dc=master,dc=com" -H ldap://my.master.host -LLL > ldap_dump-20100525-1.ldif
$ ldapadd -Wx -D "cn=admin_backup,dc=backup,dc=com" -H ldap://my.backup.host -f ldap_dump-20100525-1.ldif

The -W flag above prompts for ldap admin_master password however since we are redirecting output to a file you wont see the prompt - just an empty line. Go ahead and type your ldap admin_master password and enter and it will work. First line of your output file will need to be removed (Enter LDAP Password:) before running ldapadd.

Last hint, ldapadd(1) is a hard link to ldapmodify(1) with the -a (add) flag turned on.

Feint answered 25/5, 2010 at 5:8 Comment(7)

-Wx didn't work for me when redirecting to a file. Replacing -Wx with -w <mypasswd> worked great. – Chaussure 23/1, 2012 at 0:13

I don't like putting passwords on the command line because they usually end up in your shell history... – Feint 7/2, 2012 at 6:20

@HendyIrawan I think it's actually hard to do as we are talking of ordering the entries from a tree. In reality, most of the time slapcat / ldapadd will work if your tree is simple but it's safer to use the ldapsearch / ldapadd couple. TLDR; Why reorder what doesn't need to be? – Feint 23/7, 2012 at 9:52

One issue with the slapsearch is that it will not dump technical attributes such as the password history, last password update date, ... all those stuffs that are needed by the ppolicy layer. I assume there are others attributes you should backup and that won't. – Digitoxin 25/10, 2012 at 8:21

+1 for the excellent answer. it helps me. with no change at all! – Ragen 5/2, 2013 at 4:26

"I don't like putting passwords on the command line because they usually end up in your shell history" - just add a space in front of the command, and it won't be added to history. – Revalue 6/5, 2014 at 8:47

For the password, the alternative to -W or -w mypassword is -y passwordfile. Make the password file only readable by root. – Churchman 29/11, 2015 at 14:56

ldapsearch and ldapadd are not necessarily the best tools to clone your LDAP DB. slapcat and slapadd are much better options.

Export your DB with slapcat:

slapcat > ldif

Import the DB with slapadd (make sure the LDAP server is stopped):

slapadd -l ldif

Cataphoresis answered 23/7, 2010 at 1:41 Comment(3)

From the slapcat man page, "The output of slapcat is intended to be used as input to slapadd(8). The output of slapcat cannot generally be used as input to ldapadd(1) or other LDAP clients without first editing the output. This editing would normally include reordering the records into superior first order and removing no-user-modification operational attributes." -- In other words, it is potentially a lot of work to use ldapadd because of operational metadata, whereas slapadd will ignore the operational metadata. – Blayne 11/5, 2013 at 1:34

@Blayne slapadd will not ignore operational metadata but load it as it is contained in the ldif produced by slapcat. This is important if you have processes like replication, etc. that rely on operational attributes like the entryUUIDs to stay the same. – Ably 26/9, 2014 at 13:9

Those two commands can import and export user password , too?? – Heptad 6/12, 2021 at 9:22

Some appointments:

Save your personalized schemas and objectclasses definitions on your new server. You can look for your included files at slapd.conf to obtain it, for example (this is a part of my slapd.conf):

include /etc/ldap/schema/core.schema
Include your personalized schemas and objectclasses in your new openLDAP installation.
Use slapcat command to export your full LDAP tree to a single/various ldif files.
Use ldapadd to import the ldif files on to your new LDAP installation.

Ina answered 27/4, 2009 at 9:36 Comment(2)

Thanks... the problem was that I didn't remember the name of the tool (slapcat) – Revalue 27/4, 2009 at 10:35

For newer versions of OpenLDAP, you'll need to use 'slapadd' instead of 'ldapadd'. – Pain 2/11, 2011 at 23:7

I prefer copy the database through the protocol:

first of all be sure you have the same schemas on both servers.

dump the database with ldapsearch:

ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" > domain.ldif

and import it in the new server:

ldapmodify -Wx -D "cn=admin,dc=domain" -a -f domain.ldif

in one line:

ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" | ldapmodify -w pass -x -D "cn=admin,dc=domain" -a

By using the bin/ldap* commands you are talking directly with the server while using bin/slap* commands you are dealing with the backend files

Soper answered 19/5, 2009 at 13:12 Comment(1)

I'm interested in how to "be sure you have the same schemas on both servers". I'm tasked with moving an existing LDAP to a new server and have never used openLdap before. How can I get the schema to mirror the old server so that the import succeeds ? – Marra 31/12, 2012 at 22:1

(Not enough reputation to write a comment...)

Ldapsearch opens a connection to the LDAP server. Slapcat instead accesses the database directly, and this means that ACLs, time and size limits, and other byproducts of the LDAP connection are not evaluated, and hence will not alter the data. (Matt Butcher, "Mastering OpenLDAP")

Phylum answered 30/4, 2014 at 13:23 Comment(2)

Try to give a more detailed answer. Otherwise your answer might be better suited to be a comment. – Violone 30/4, 2014 at 13:41

Well there is a reason for that requirement and answering instead of commenting just because one doesn't have the privilege yet is rather frowned upon. – Violone 30/4, 2014 at 13:54

Thanks, Vish. Worked like a charm! I edited the command:

ldapsearch -z max -LLL -Wx -D "cn=Manager,dc=domain,dc=fr" -b "dc=domain,dc=fr" >/tmp/save.ldif

ldapmodify -c -Wx -D "cn=Manager,dc=domain,dc=fr" -a -f /tmp/save.ldif

Just added the -z max to avoid the size limitation and the -c to go on even if the target domain already exists (my case).

Chromatin answered 9/6, 2013 at 15:33 Comment(0)

Recommended topics

Hot tags