How To Backup and Restore OpenLDAP

By | October 4, 2016

This guide assumes familiarity with UNIX like operating systems, X.500, LDAP and OpenLDAP. The Directory Backups section of the OpenLDAP 2.4 Administrator’s Guide, as of September 28, 2016, doesn’t have any kind of restoration procedures. This guide will help you do it.

Backup OpenLDAP

There are two methods for backing up OpenLDAP. One is to backup the back end database, the other is to dump an LDIF of the directory. Since there are multiple backends, and using LDIF allows you to backup the configuration and data using the same tools and procedures. This guide covers the LDIF method. The OpenLDAP Admin Guide seems to lean towards backing up the underlying database the directory uses.

To create a backup, you use the slapcat command. slapcat outputs your entire directories in LDIF format.

Backup the Configuration Directory

slapcat -n 0 -l config.ldif

The "-l config.ldif" instructs slapcat to write to the file config.ldif. The "-n 0" means slapcat should output an LDIF for database 0, which is the configuration directory.

Backup the Data Directories

Data directories are backed up the same way, but using the relevant database number. The command below writes the data from database 1 to the file data.ldif.

slapcat -n 1 -l data.ldif

Do this for each of your directories.

Restore OpenLDAP

The first thing to do when restoring OpenLDAP is to stop slapd.

service slapd stop


pkill slapd

Restore the Configuration Directory

Restoration is done with slapadd. If you are restoring your configuration directory, I recommend deleting it or renaming, then recreating it first. Make note of the owner and group of the directory. The table below shows the location of the configuration directory in various environments:

OS Configuration Directory
Debian/Ubuntu /etc/ldap/slapd.d
RHEL/CentOS /etc/openldap/slapd.d
SuSE (Uses slapd.conf) /etc/openldap/slapd.d
FreeBSD /usr/local/etc/openldap/slapd.d
Compiled From Source /usr/local/etc/openldap/slapd.d

bash# ls -ld /etc/openldap/slapd.d
drwxr-xr-x 3 ldap ldap 4096 Jul 16 06:57 /etc/openldap/slapd.d
bash# mv /etc/openldap/slapd.d /etc/openldap/slapd.d.`date '+%Y-%m-%d'`

When you are done recreating the configuration directory, restore it with slapadd:

slapadd -n 0 -F /etc/openldap/slapd.d -l /backups/config.ldif

The "-n" and "-l" mean the same thing they do with slapcat. The "-F /etc/openldap/slapd.d" specifies that /etc/openldap/slapd.d is your configuration directory.

Now change the ownership and permissions of the configuration directory (Linux and UNIX File Permissions Guide) to what it was previously.

chown -R ldap:ldap /etc/openldap/slapd.d

Restoring the Data Directories

First, determine the locations of your database directories. If you are using the online configuration directory, it is found in the olcDbDirectory attribute of the olcDatabaseConfig class objects. If you are using slapd.conf, look at the directory line under the database definitions section.

I recommend renaming or deleting and then recreating the directories first.

bash# ls -ld /var/lib/ldap
drwxr-xr-x 3 ldap ldap 4096 Jul 16 06:57 /var/lib/ldap
bash# mv /var/lib/ldap /var/lib/ldap`date '+%Y-%m-%d'`

Once you are done with this, use slapadd to restore the data:

slapadd -n 1 -F /etc/openldap/slapd.d -l /backups/data.ldif

Now change the ownership of the data directory (Linux and UNIX File Permissions Guide) to what it was previously.

chown -R ldap:ldap /var/lib/ldap

Now that you are done restoring, start slapd and check your directory.

Replicated Directories

If you are using any kind of replication, add -w to your slapadd command. For example:

slapadd -n 1 -F /config/directory/slapd.d -l /backups/data.ldif -w

The -w adds replication information to the directory, causing other servers using it as a replication source to synchronize to it.

Leave a Reply

Your email address will not be published. Required fields are marked *