Skip to content

OpenLDAP

Backup & Restore

Backup

There should be two databases in your slapd instance:

0 - config 1 or 2 - data

slapcat -n 0 -l /root/backup/data.ldif
slapcat -n 2 -l /root/backup/data.ldif

Restore

You should move or delete the old directories before.

slapadd -n 0 -F /etc/openldap/slapd.d -l /root/backup/config.ldif
slapadd -n 2 -F /etc/openldap/slapd.d -l /root/backup/config.ldif
chown -R ldap. /etc/openldap/slapd.d /var/lib/ldap

Replication

Master/Slave Replication

Setup on Master

In the following steps you will need to add the ldif files to your directory. ldapmodify will be used for the config changes and ldapadd for the user creation.

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f example.ldif
ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f user-creation.ldif

First load the module for synchronization.

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov

Set the Server ID.

dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 1

Create OU for System Users - if you didn't create one already.

dn: ou=System,dc=example,dc=com
objectClass: organizationalUnit
ou: System

Create a readonly User for the sync. If you already have one, consider a different name to differentiate per intended use.

dn: cn=readonly,ou=System,dc=example,dc=com
objectClass: organizationalPerson
cn: readonly
sn: user
description: Readonly User
userPassword: {SSHA}x

Assign read permissions to the newly created user. Please pay attention in the following steps which databse you want to configure. In this example it's "1" - I saw many cases where this is the monitor database and not your real directory.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange 
  by dn="cn=ldapadm,dc=example,dc=com" write 
  by dn="cn=readonly,ou=System,dc=example,dc=com" read 
  by anonymous auth 
  by self write 
  by * none
-
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {1}
-
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to *
  by dn="cn=readonly,ou=System,dc=example,dc=com" read

Add the sync overlay to all databases you want to sync.

dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

Create indicies on entryCSN and entryUUID because syncprov will use these attributes to look for changes.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq

Setup on Slave

Finally you need to setup the sync on the slave side.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: 
  rid=001 
  provider=ldaps://ldap.example.com
  bindmethod=simple
  binddn="cn=readonly,ou=System,dc=example,dc=com" 
  credentials="yourpassword" 
  searchbase="dc=example,dc=com" 
  type=refreshOnly
  timeout=0 
  network-timeout=0 
  retry="60 +