Nethence Newdoc Olddoc Lab Your IP BBDock  


Warning: those guides are mostly obsolete, please have a look at the new documentation.

UnixWindowsOracleObsoleteHardwareDIYMechanicsScriptsConfigs

Rebuilding an OpenLDAP server from scratch and migrating the database
from a Debian Lenny to a Debian Jessie
 
Introduction
You are not obliged to use the new slapd.d/ configuration layout. You can reuse the old slapd.conf by simply removing the slapd.d/ configuration folder.
 
It is also possible to convert old style config into new style, at least for some parts.
Ref. https://wiki.debian.org/LDAP/OpenLDAPSetup
 
Installation
Install openldap and the additional samba.schema,
apt-get install slapd
(fill in empty ldap admin passwd, we remove the conf anyway)
apt-get install samba-doc
ls -l /etc/ldap/schema/ | grep samba
zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema
ls -l /etc/ldap/schema/ | grep samba
 
The slapcat / slapadd trick
On the old server,
cd /etc/ldap/
sed '/^$/d; /^#/d' slapd.conf
(copy)
 
cd /var/log/ldap/example/
sed '/^$/d; /^#/d' DB_CONFIG
(copy)
 
/etc/init.d/slapd stop
slapcat -l ~/ldapdump.raw
/etc/init.d/slapd start
 
Also copy the certification files if there are e.g.,
TLSCACertificateFile /etc/ldap/demoCA/cacert.pem
TLSCertificateFile /etc/ldap/servercert.pem
TLSCertificateKeyFile /etc/ldap/serverkey.pem
 
Move the saved files to the new server e.g.,
cd ~/
rsync -av --rsh=ssh root@OLD_SRV:~/ldapdump.raw .
ls -l ldapdump.raw
 
On the new server,
cd /etc/ldap/
rm -rf slapd.d/
vi slapd.conf
(paste)
cp /root/ldap/servercert.pem .
cp /root/ldap/serverkey.pem .
mkdir demoCA/
cp /root/ldap/demoCA/cacert.pem demoCA/
 
grep ^directory /etc/ldap/slapd.conf
cd /var/lib/ldap/
mkdir example/
chown -R openldap:openldap example/
cd example/
ls -al
vi DB_CONFIG
(paste)
slapadd -l ~/ldapdump.raw
cd ../
chown -R openldap:openldap example/
 
Ready to go
You can now start the service,
/etc/init.d/slapd start
and check,
ps aux | grep slap
eventually restart to get -f not -F,
/etc/init.d/slapd restart
check again,
ps aux | grep slap
you should see that process on the server,
openldap 7954 0.0 0.4 247668 9208 ? Ssl 09:01 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -f /etc/ldap/slapd.conf
pointing to the old style slapd.conf with -f and not -F.
 
Now check that everything works,
ldapsearch -x -b "dc=example,dc=com" -h NEW_SLAPD
ldapsearch -x -b "dc=example,dc=com" uid=USER* -h NEW_SLAPD
ldapsearch -D "uid=USER,ou=people,dc=example,dc=com" -W -b "ou=people,dc=example,dc=com" -h NEW_SLAPD
ldapsearch -D "cn=ldap-admin,dc=example,dc=com" -W -b "ou=people,dc=example,dc=com" -h NEW_SLAPD
 
Enable the daemon at boot time,
systemctl enable slapd
 
Troubleshooting
Eventually start slapd in debug mode,
slapd -u openldap -g openldap -d 1
 
If you need to start fresh,
/etc/init.d/slapd stop
ps aux | grep slapd
apt-get purge slapd samba-doc
apt-get purge db-upgrade-util db5.1-util db5.3-util
apt-get autoremove
#cd /var/backups/
#rm -rf unknown-2.4.40+dfsg-1+deb8u1.ldapdb/
#rm -rf slapd*
rm -rf /etc/ldap/
rm -rf /var/lib/ldap/
 
If you are getting this error when reinstalling slapd,
ldif_read_record: include file:///etc/ldap/schema/core.ldif failed
==> bkp & purge the configs before you reinstall it, see above.
 
If you get this error while trying to start slapd in debug mode,
bi_db_open failed! (-1)
==> maybe you forgot to fix perms/ownership after slapadd?...
 
Alternative methods (draft)
The db_recover trick
Replicate the LDAP repository,
/etc/init.d/slapd stop
ps ax | grep slapd
cd /var/lib/ldap/
rm -rf example/
tar xzpf ~/example.czpf.tar.gz -C .
chown -R openldap:openldap example/
cd example/
rm -rf __db*
db5.1_checkpoint -1
db5.1_recover
db5.1_upgrade *.bdb
cd ../
chown -R openldap:openldap example/
/etc/init.d/slapd start
 
The old/ trick
1. create one folder "old" in /var/lib/ldap/example.com
2. mv all the original dbs to /old
3. /etc/init.d/slapd restart
4. all the db replicated from the old server
 
The olcDatabase replicate trick (maybe related to the old trick since the data goes somewhere else?)
Edit the new style configuration to enable replication,
vi /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
uncomment,
olcSyncrepl: rid=013 provider=ldap://ldap-master.example.com bindmethod=simple time
out=0 network-timeout=0 binddn="cn=ldap-admin,dc=example,dc=com" credential
s="LDAP MASTER PASSWD" keepalive=1200:10:3 starttls=no filter="(objectclass=*)" searchbase="dc=example,dc=com" sc
ope=sub schemachecking=off type=refreshAndPersist retry="60 +"
 
But you might get this error when trying to modify the database (olcSyncrepl method)
Failed to add user to LDAP database : shadow context; no update referral
 
Adding samba schema to the new style conf
Import the schema configuration into the new .d layout,
cd /etc/ldap/
cat > samba.conf <<EOF
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
EOF
mkdir /tmp/slapd.d/
slaptest -f samba.conf -F /tmp/slapd.d/
cp -i "/tmp/slapd.d/cn=config/cn=schema/cn={4}samba.ldif" "/etc/ldap/slapd.d/cn=config/cn=schema"
 
References
Migrating an existing LDAP database to a new computer: https://ploum.net/migrating-an-existing-ldap-database-to-a-new-computer/
 

(obsolete, see the new doc)