- slapcat basics and options
- slapadd basics and options
- Procedure for LDAP migration
- 1. Export configuration and account information from slapcat from old LDAP server
- 2. Stop LDAP on the new server
- 3. Rename the setting information etc. on the new server, create a new empty directory, copy DB_CONFIG
- 4. Import setup and account information to new server
- 5. Change ownership of user and group of files related to LDAP of new server
- 6. Restart LDAP on new server
slapcat basics and options
In slapcat, you can get OpenLDAP settings (config) and backup of LDAP account. It is text-based information called "LDIF format" as output.
Backup of OpenLDAP settings
"-n" is an option to specify the database number, and "-b" is an option to specify the DN of the LDAP tree. "-n" and "-b" can not be used at the same time. The database number of config is 0.
LDAP account backup
To back up the LDAP account, use the following command.
Although this can still be backed up successfully, the following errors are always output.
The first database does not allow slapcat; using the first available one (2).
In OpenLDAP 2.4 and later, the configuration information is expanded from slapd.conf to /etc/openldap/slapd.d, and one LDAP tree is composed. In other words, you can create an LDAP tree containing only configuration information. This mechanism is called OLC (OnLine Configuration). This is database number 0, but first database in the error above shows a different database.
This first database is also called "monitor database", also started to be implemented from the beginning of OpenLDAP 2.4 onwards, and it is represented by an LDAP tree of "cn=monitor". The settings of /etc/openldap/slapd.conf also contains the following.
To get back up of the LDAP account so as not to output this error, use the following command.
In other words, it gets the second database.(The last (2). In the error means that you can use the second database.)
Note that the monitor database is used like the SNMP MIB database and governs statistical information such as the current number of sessions, but when slapcat is not permitted and the next command is executed, I get an error.
slapcat: database does not support necessary operations.
You can not use slapcat, but you can get monitor information using ldapsearch.
slapadd basics and options
In slapadd you can configure OpenLDAP (config) and add LDAP account. As you are still entering LDIF format, you can use the information outputted by slapcat as it is.
Restoring OpenLDAP settings
Restore LDAP account
Procedure for LDAP migration
To migrate a server from one OpenLDAP server to another OpenLDAP server, follow the procedure below.
1. Export configuration and account information from slapcat from old LDAP server
slapcat - n 2 ldap-account-backup.ldif
2. Stop LDAP on the new server
3. Rename the setting information etc. on the new server, create a new empty directory, copy DB_CONFIG
mkdir -m 700 /etc/openldap/slapd.d
mv /var/lib/ldap /var/lib/ldap_old
mkdir -m 700 /var/lib/ldap
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
4. Import setup and account information to new server
slapadd -l ldap-account-backup.ldif
5. Change ownership of user and group of files related to LDAP of new server
chown ldap: ldap - R /var/lib/ldap