20

I'm using openldap 2.4.40, and i need to migrate my existing ldap database, configuration, and schema (basically everything ldap server related) to a new machine.

the problem is, I use cn=config configuration not the old slapd.conf file anymore.

The documentation provided by openldap and other 3rd party websites only helps for migrating slapd.conf LDAP server, not LDAP server with the newer cn=config configuration file.

and also I have new schema (attributetype and objectclass), is there a way to migrate these to a new machine as easily as possible?

I need other way than reconfiguring and adding my schema manually one by one to the new machine.

This will be done with the intention of turning off the old machine most likely.

TL;DR Is there any way to conveniently migrate LDAP database, schema, configuration from 1 LDAP Server to a new LDAP Server with the intention of turning off the old machine

Thank you.

*Posted the answer below

- Julio

J_LDAP
  • 588
  • 1
  • 4
  • 11
  • 2
    You really should post your solution as an answer and not an edit to your question. – Sven Jul 20 '16 at 09:24

2 Answers2

24

The solution :

So here's what I did to make this works.

  1. Stop Slapd on main server
  2. Slapcat databases from the main server (There are 2 database that needs to be exported. I use the "-n" tag

    slapcat -n 0 -l (config file location)
    

This one will export all schema and cn=config and

    slapcat -n 1 -l <database backup ldif path>

This on will export all user data that you keep in LDAP.

  1. SCP the 2 ldif file to the new server (make sure you installed LDAP on the server and make sure the configuration are almost identical to make this easier)
  2. stop slapd on the new server.
  3. delete the content of folder

    /etc/ldap/slapd.d
    
  4. use slapadd to import the configuration to the new server

    slapadd -n 0 -l (config ldif location)
    

    -n 0 is for adding configuration back to LDAP

    slapadd -n 1 -l (database ldif location)
    

    -n 1 is for adding database back to LDAP

*EDIT: Somehow those command won't work on my 2nd 3rd .... and so on try. So The proper command That I've verfied that it works are

  slapadd -n 0 -F /etc/ldap/slapd.d -l <config backup ldif path>

and

  slapadd -n 1 -l <data backup ldif path>
  1. change the permission in the /etc/ldap/slapd.d folder (chown and chmod). I chown it to openldap and chmod it to 755

Also Change permission in the /var/lib/ldap folder (chown and chmod) to openldap

if you have certificate for TLS connection. Copy the certificates and keys from old server to new server to the same exact location. change the permission on the places.

  1. start slapd.

and it should be good to go.

Hopes this helps other people

J_LDAP
  • 588
  • 1
  • 4
  • 11
  • 1
    I had issues with permissions on the database files in /var/lib/ldap which needed to be switched to owner ldap. Other than that, this was very smooth. – sheldonkreger Dec 05 '16 at 22:34
  • glad it works well for you – J_LDAP Dec 08 '16 at 03:29
  • this needs more upvotes. I've been hunting down and testing for 2 weeks for my setup to work. THANK YOU – hanzo2001 Sep 25 '17 at 16:43
  • Glad my post can help others – J_LDAP Sep 28 '17 at 06:44
  • In my case only the schema worked as expected, the data has not be copied. In fact dataset /var/lib/ldap on destination does not contain any string regarding users... it seems nothing has happened. I had to manually copy the database in /var/lib/ldap from source to destination machine; I followed https://serverfault.com/questions/227813/openldap-replication-problem/233141#233141 – Fabiano Tarlao Oct 30 '18 at 12:49
  • Did You used the command correctly? if so, what version of LDAP did You use? – J_LDAP Nov 07 '18 at 03:43
  • If You execute slapcat -n 0 -l (config file location) then Your current config file on server will be overwritten with that dump. This should be fixed. Also in my case it is not working at all i got an "error: slapcat: could not open database" only slapcat -n 1 is working but I need all schema config etc. My source LDAP server is very old Debian 4 ( etch ). – mike Aug 25 '21 at 11:30
6

Export both trees (cn=config and your regular data) into LDIF, import them back on the new server (cn=config first). Done.

Also, cn=config is essentially just a collection of LDIF files and it might be possible to just copy this collection to the same relative location on the new server (while slapd is not running).

Sven
  • 97,248
  • 13
  • 177
  • 225
  • 1
    how exactly do I export them? What about Schema (new objectclass,attributetypes) ? Thanks for the answer – J_LDAP Oct 20 '15 at 11:56
  • The schemas *should* be defined in `cn=schema,cn=config` (or something like that) and will be contained in the LDIF file. – Sven Oct 20 '15 at 13:41
  • Ok thanks fot the answer. I'll give it a try later. Thank you so much. – J_LDAP Oct 20 '15 at 21:27
  • Could You show how to do it all in steps? I tried slapcat -n 0 from earlier answer but is not working with error: "slapcat: could not open database" with switch -n 1 it's dumping but I need whole copy of OpenLDAP slapd not just database. In my case source it's very old Debian 4 ( etch ) maybe it's important for that method. – mike Aug 25 '21 at 11:32