Thursday, May 25, 2023

Migrating an openldap database to a new installation

If you are familiar with Openldap you may have become frustrated with the difficulty of migrating a database from one installation to a fresh instance of Openldap. There is an easy way to do this, using a combination of slapcat and slapadd. The only drawback is that it destroys the database at the destination. However, this is usually a new copy of Openldap, so it doesn't matter.

Ldap is a tree

It is important to realise that an ldap database is a tree. That is, there is only one node at the root, and every descendant node must have only one parent. When you install Openldap the tree consists of one node called "nodomain", which, if not destroyed, will likely conflict with anything you import. What you really want is for the root to consist of a "suffix" of your choice, such as mycompany.com, which ldap breaks down to dc=mycompany,dc=com.

Exporting your ldap tree

On your old Openldap installation you must first export the data. For this I recommend you use slapcat:

slapcat [-b suffix] -l output.ldif

You can specify a suffix, which will then export only that portion of the tree. This is useful when your old installation contains a sub-tree you want installed in standalone form on the new instance of Openldap. Or just omit it, and the entire tree will be exported to the file export.ldif.

Importing the exported tree to a new Openldap instance

slapadd is a simple utility that copies the exported database into an empty database. I provide here a script for doing this. Notice that it first deletes the old database (the one defining "nodomain" as the root) to avoid conflicts. To do this it must first stop the slapd service and restart it again afterwards.

If you install ldap-account-manager (in Debian/Ubuntu) you can see the tree it creates in Tools->Tree view, which should be identical to the one you exported.

No comments:

Post a Comment