[slapcat/slapadd] Usage,Options ~ OpenLDAP Backup/Restore and Migration, cn=config, cn=monitor, Error ~

slapcat basics and options

In slapcat, you can get OpenLDAP settings (config) and backup of LDAP account. It is text-based information called "LDIF format" as output.

Backup of OpenLDAP settings

slapcat - b cn=config - l ldap-config-YYYYMMDD.ldif


slapcat - n 0 - l ldap-config-YYYYMMDD.ldif

"-n" is an option to specify the database number, and "-b" is an option to specify the DN of the LDAP tree. "-n" and "-b" can not be used at the same time. The database number of config is 0.

LDAP account backup

To back up the LDAP account, use the following command.

slapcat -l ldap-YYYYMMDD.ldif

Although this can still be backed up successfully, the following errors are always output.

The first database does not allow slapcat; using the first available one (2).

In OpenLDAP 2.4 and later, the configuration information is expanded from slapd.conf to /etc/openldap/slapd.d, and one LDAP tree is composed. In other words, you can create an LDAP tree containing only configuration information. This mechanism is called OLC (OnLine Configuration). This is database number 0, but first database in the error above shows a different database.

This first database is also called "monitor database", also started to be implemented from the beginning of OpenLDAP 2.4 onwards, and it is represented by an LDAP tree of "cn=monitor". The settings of /etc/openldap/slapd.conf also contains the following.

database monitor

To get back up of the LDAP account so as not to output this error, use the following command.

slapcat - n 2 - l ldap-YYYYMMDD.ldif

In other words, it gets the second database.(The last (2). In the error means that you can use the second database.)

Note that the monitor database is used like the SNMP MIB database and governs statistical information such as the current number of sessions, but when slapcat is not permitted and the next command is executed, I get an error.

[root @ houran ~] # slapcat - n 1

slapcat: database does not support necessary operations.

You can not use slapcat, but you can get monitor information using ldapsearch.

ldapsearch - x - b cn = monitor - s sub +

slapadd basics and options

In slapadd you can configure OpenLDAP (config) and add LDAP account. As you are still entering LDIF format, you can use the information outputted by slapcat as it is.

Restoring OpenLDAP settings

slapadd - n 0 - F /etc/openldap/slapd.d - l ldap-config-YYYYMMDD.ldif

Restore LDAP account

slapadd -l ldap-YYYYMMDD.ldif

Procedure for LDAP migration

To migrate a server from one OpenLDAP server to another OpenLDAP server, follow the procedure below.

1. Export configuration and account information from slapcat from old LDAP server

slapcat - n 0 ldap-config-backup.ldif
slapcat - n 2 ldap-account-backup.ldif

2. Stop LDAP on the new server

systemctl stop slapd

3. Rename the setting information etc. on the new server, create a new empty directory, copy DB_CONFIG

mv /etc/openldap/slapd.d /etc/openldap/slapd.d_old
mkdir -m 700 /etc/openldap/slapd.d
mv /var/lib/ldap /var/lib/ldap_old
mkdir -m 700 /var/lib/ldap
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

4. Import setup and account information to new server

slapadd -n 0 -F /etc/openldap/slapd.d -l ldap-config-backup.ldif
slapadd -l ldap-account-backup.ldif

5. Change ownership of user and group of files related to LDAP of new server

chown ldap: ldap -R /etc/openldap/slapd.d
chown ldap: ldap - R /var/lib/ldap

6. Restart LDAP on new server

systemctl start slapd


Copied title and URL