This guide assumes familiarity with UNIX like operating systems, X.500, LDAP and OpenLDAP. The Directory Backups section of the OpenLDAP 2.4 Administrator’s Guide, as of September 28, 2016, doesn’t have any kind of restoration procedures. This guide will help you do it.
Backup OpenLDAP
There are two methods for backing up OpenLDAP. One is to backup the back end database, the other is to dump an LDIF of the directory. Since there are multiple backends, and using LDIF allows you to backup the configuration and data using the same tools and procedures. This guide covers the LDIF method. The OpenLDAP Admin Guide seems to lean towards backing up the underlying database the directory uses.
To create a backup, you use the slapcat command. slapcat outputs your entire directories in LDIF format.
Backup the Configuration Directory
slapcat -n 0 -l config.ldifThe "-l config.ldif" instructs slapcat to write to the file config.ldif. The "-n 0" means slapcat should output an LDIF for database 0, which is the configuration directory.
Backup the Data Directories
Data directories are backed up the same way, but using the relevant database number. The command below writes the data from database 1 to the file data.ldif.
slapcat -n 1 -l data.ldifDo this for each of your directories.
Restore OpenLDAP
The first thing to do when restoring OpenLDAP is to stop slapd.
service slapd stopor
pkill slapdRestore the Configuration Directory
Restoration is done with slapadd. If you are restoring your configuration directory, I recommend deleting it or renaming, then recreating it first. Make note of the owner and group of the directory. The table below shows the location of the configuration directory in various environments:
| OS | Configuration Directory |
|---|---|
| Debian/Ubuntu | /etc/ldap/slapd.d |
| RHEL/CentOS | /etc/openldap/slapd.d | SuSE (Uses slapd.conf) | /etc/openldap/slapd.d |
| FreeBSD | /usr/local/etc/openldap/slapd.d |
| Compiled From Source | /usr/local/etc/openldap/slapd.d |
bash# ls -ld /etc/openldap/slapd.d
drwxr-xr-x 3 ldap ldap 4096 Jul 16 06:57 /etc/openldap/slapd.d
bash# mv /etc/openldap/slapd.d /etc/openldap/slapd.d.`date '+%Y-%m-%d'`
bash# mkdir /etc/openldap/slapd.d
When you are done recreating the configuration directory, restore it with slapadd:
slapadd -n 0 -F /etc/openldap/slapd.d -l /backups/config.ldifThe "-n" and "-l" mean the same thing they do with slapcat. The "-F /etc/openldap/slapd.d" specifies that /etc/openldap/slapd.d is your configuration directory.
Now change the ownership and permissions of the configuration directory (Linux and UNIX File Permissions Guide) to what it was previously.
chown -R ldap:ldap /etc/openldap/slapd.dRestoring the Data Directories
First, determine the locations of your database directories. If you are using the online configuration directory, it is found in the olcDbDirectory attribute of the olcDatabaseConfig class objects. If you are using slapd.conf, look at the directory line under the database definitions section.
I recommend renaming or deleting and then recreating the directories first.
bash# ls -ld /var/lib/ldap
drwxr-xr-x 3 ldap ldap 4096 Jul 16 06:57 /var/lib/ldap
bash# mv /var/lib/ldap /var/lib/ldap`date '+%Y-%m-%d'`
bash# mkdir /var/lib/ldap
Once you are done with this, use slapadd to restore the data:
slapadd -n 1 -F /etc/openldap/slapd.d -l /backups/data.ldifNow change the ownership of the data directory (Linux and UNIX File Permissions Guide) to what it was previously.
chown -R ldap:ldap /var/lib/ldapNow that you are done restoring, start slapd and check your directory.
Replicated Directories
If you are using any kind of replication, add -w to your slapadd command. For example:
slapadd -n 1 -F /config/directory/slapd.d -l /backups/data.ldif -wThe -w adds replication information to the directory, causing other servers using it as a replication source to synchronize to it.