this is obsolete doc -- see instead

Rebuilding an OpenLDAP server from scratch and migrating the database 

from a Debian Lenny to a Debian Jessie 



You are not obliged to use the new slapd.d/ configuration layout. You can reuse the old slapd.conf by simply removing the slapd.d/ configuration folder. 


It is also possible to convert old style config into new style, at least for some parts. 




Install openldap and the additional samba.schema, 

apt-get install slapd
(fill in empty ldap admin passwd, we remove the conf anyway)
apt-get install samba-doc
ls -l  /etc/ldap/schema/ | grep samba
zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema
ls -l  /etc/ldap/schema/ | grep samba


The slapcat / slapadd trick 

On the old server, 

cd /etc/ldap/
sed '/^$/d; /^#/d' slapd.conf


cd /var/log/ldap/example/
sed '/^$/d; /^#/d' DB_CONFIG


/etc/init.d/slapd stop
slapcat -l ~/ldapdump.raw
/etc/init.d/slapd start


Also copy the certification files if there are e.g., 

TLSCACertificateFile  /etc/ldap/demoCA/cacert.pem
TLSCertificateFile    /etc/ldap/servercert.pem
TLSCertificateKeyFile /etc/ldap/serverkey.pem


Move the saved files to the new server e.g., 

cd ~/
rsync -av --rsh=ssh root@OLD_SRV:~/ldapdump.raw .
ls -l ldapdump.raw


On the new server, 

cd /etc/ldap/
rm -rf slapd.d/
vi slapd.conf
cp /root/ldap/servercert.pem .
cp /root/ldap/serverkey.pem .
mkdir demoCA/
cp /root/ldap/demoCA/cacert.pem demoCA/


grep ^directory /etc/ldap/slapd.conf
cd /var/lib/ldap/
mkdir example/
chown -R openldap:openldap example/
cd example/
ls -al
slapadd -l ~/ldapdump.raw
cd ../
chown -R openldap:openldap example/


Ready to go 

You can now start the service, 

/etc/init.d/slapd start

and check, 

ps aux | grep slap

eventually restart to get -f not -F, 

/etc/init.d/slapd restart

check again, 

ps aux | grep slap

you should see that process on the server, 

openldap  7954  0.0  0.4 247668  9208 ?        Ssl  09:01   0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -f /etc/ldap/slapd.conf

pointing to the old style slapd.conf with -f and not -F. 


Now check that everything works, 

ldapsearch -x -b "dc=example,dc=com" -h NEW_SLAPD
ldapsearch -x -b "dc=example,dc=com" uid=USER* -h NEW_SLAPD
ldapsearch -D "uid=USER,ou=people,dc=example,dc=com" -W -b "ou=people,dc=example,dc=com" -h NEW_SLAPD
ldapsearch -D "cn=ldap-admin,dc=example,dc=com" -W -b "ou=people,dc=example,dc=com" -h NEW_SLAPD


Enable the daemon at boot time, 

systemctl enable slapd



Eventually start slapd in debug mode, 

slapd -u openldap -g openldap -d 1


If you need to start fresh, 

/etc/init.d/slapd stop
ps aux | grep slapd
apt-get purge slapd samba-doc
apt-get purge db-upgrade-util db5.1-util db5.3-util
apt-get autoremove
#cd /var/backups/
#rm -rf unknown-2.4.40+dfsg-1+deb8u1.ldapdb/
#rm -rf slapd*
rm -rf /etc/ldap/
rm -rf /var/lib/ldap/


If you are getting this error when reinstalling slapd, 

ldif_read_record: include file:///etc/ldap/schema/core.ldif failed

==> bkp & purge the configs before you reinstall it, see above. 


If you get this error while trying to start slapd in debug mode, 

bi_db_open failed! (-1)

==> maybe you forgot to fix perms/ownership after slapadd?... 


Alternative methods (draft) 

The db_recover trick 

Replicate the LDAP repository, 

/etc/init.d/slapd stop
ps ax | grep slapd
cd /var/lib/ldap/
rm -rf example/
tar xzpf ~/example.czpf.tar.gz -C .
chown -R openldap:openldap example/
cd example/
rm -rf __db*
db5.1_checkpoint -1
db5.1_upgrade *.bdb
cd ../
chown -R openldap:openldap example/
/etc/init.d/slapd start


The old/ trick 

1. create one folder "old" in /var/lib/ldap/ 

2. mv all the original dbs to /old 

3. /etc/init.d/slapd restart 

4. all the db replicated from the old server 


The olcDatabase replicate trick (maybe related to the old trick since the data goes somewhere else?) 

Edit the new style configuration to enable replication, 

vi /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif


olcSyncrepl: rid=013 provider=ldap:// bindmethod=simple time
 out=0 network-timeout=0 binddn="cn=ldap-admin,dc=example,dc=com" credential
 s="LDAP MASTER PASSWD" keepalive=1200:10:3 starttls=no filter="(objectclass=*)" searchbase="dc=example,dc=com" sc
 ope=sub schemachecking=off type=refreshAndPersist retry="60 +"


But you might get this error when trying to modify the database (olcSyncrepl method) 

Failed to add user to LDAP database : shadow context; no update referral


Adding samba schema to the new style conf 

Import the schema configuration into the new .d layout, 

cd /etc/ldap/
cat > samba.conf <<EOF
include          /etc/ldap/schema/core.schema
include          /etc/ldap/schema/cosine.schema
include          /etc/ldap/schema/nis.schema
include          /etc/ldap/schema/inetorgperson.schema
include          /etc/ldap/schema/samba.schema
mkdir /tmp/slapd.d/
slaptest -f samba.conf -F /tmp/slapd.d/
cp -i "/tmp/slapd.d/cn=config/cn=schema/cn={4}samba.ldif" "/etc/ldap/slapd.d/cn=config/cn=schema"



Migrating an existing LDAP database to a new computer: