this is obsolete doc -- see http://doc.nethence.com/ instead

Rebuilding an OpenLDAP server from scratch and migrating the database 

from a Debian Lenny to a Debian Jessie 

Introduction 

You are not obliged to use the new slapd.d/ configuration layout. You can reuse the old slapd.conf by simply removing the slapd.d/ configuration folder. 

It is also possible to convert old style config into new style, at least for some parts. 

Ref. https://wiki.debian.org/LDAP/OpenLDAPSetup 

Installation 

Install openldap and the additional samba.schema, 

apt-get install slapd

(fill in empty ldap admin passwd, we remove the conf anyway)

apt-get install samba-doc

ls -l  /etc/ldap/schema/ | grep samba

zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema

ls -l  /etc/ldap/schema/ | grep samba

The slapcat / slapadd trick 

On the old server, 

cd /etc/ldap/

sed '/^$/d; /^#/d' slapd.conf

(copy)

cd /var/log/ldap/example/

sed '/^$/d; /^#/d' DB_CONFIG

(copy)

/etc/init.d/slapd stop

slapcat -l ~/ldapdump.raw

/etc/init.d/slapd start

Also copy the certification files if there are e.g., 

TLSCACertificateFile  /etc/ldap/demoCA/cacert.pem

TLSCertificateFile    /etc/ldap/servercert.pem

TLSCertificateKeyFile /etc/ldap/serverkey.pem

Move the saved files to the new server e.g., 

cd ~/

rsync -av --rsh=ssh root@OLD_SRV:~/ldapdump.raw .

ls -l ldapdump.raw

On the new server, 

cd /etc/ldap/

rm -rf slapd.d/

vi slapd.conf

(paste)

cp /root/ldap/servercert.pem .

cp /root/ldap/serverkey.pem .

mkdir demoCA/

cp /root/ldap/demoCA/cacert.pem demoCA/

grep ^directory /etc/ldap/slapd.conf

cd /var/lib/ldap/

mkdir example/

chown -R openldap:openldap example/

cd example/

ls -al

vi DB_CONFIG

(paste)

slapadd -l ~/ldapdump.raw

cd ../

chown -R openldap:openldap example/

Ready to go 

You can now start the service, 

/etc/init.d/slapd start

and check, 

ps aux | grep slap

eventually restart to get -f not -F, 

/etc/init.d/slapd restart

check again, 

ps aux | grep slap

you should see that process on the server, 

openldap  7954  0.0  0.4 247668  9208 ?        Ssl  09:01   0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -f /etc/ldap/slapd.conf

pointing to the old style slapd.conf with -f and not -F. 

Now check that everything works, 

ldapsearch -x -b "dc=example,dc=com" -h NEW_SLAPD

ldapsearch -x -b "dc=example,dc=com" uid=USER* -h NEW_SLAPD

ldapsearch -D "uid=USER,ou=people,dc=example,dc=com" -W -b "ou=people,dc=example,dc=com" -h NEW_SLAPD

ldapsearch -D "cn=ldap-admin,dc=example,dc=com" -W -b "ou=people,dc=example,dc=com" -h NEW_SLAPD

Enable the daemon at boot time, 

systemctl enable slapd

Troubleshooting 

Eventually start slapd in debug mode, 

slapd -u openldap -g openldap -d 1

If you need to start fresh, 

/etc/init.d/slapd stop

ps aux | grep slapd

apt-get purge slapd samba-doc

apt-get purge db-upgrade-util db5.1-util db5.3-util

apt-get autoremove

#cd /var/backups/

#rm -rf unknown-2.4.40+dfsg-1+deb8u1.ldapdb/

#rm -rf slapd*

rm -rf /etc/ldap/

rm -rf /var/lib/ldap/

If you are getting this error when reinstalling slapd, 

ldif_read_record: include file:///etc/ldap/schema/core.ldif failed

==> bkp & purge the configs before you reinstall it, see above. 

If you get this error while trying to start slapd in debug mode, 

bi_db_open failed! (-1)

==> maybe you forgot to fix perms/ownership after slapadd?... 

Alternative methods (draft) 

The db_recover trick 

Replicate the LDAP repository, 

/etc/init.d/slapd stop

ps ax | grep slapd

cd /var/lib/ldap/

rm -rf example/

tar xzpf ~/example.czpf.tar.gz -C .

chown -R openldap:openldap example/

cd example/

rm -rf __db*

db5.1_checkpoint -1

db5.1_recover

db5.1_upgrade *.bdb

cd ../

chown -R openldap:openldap example/

/etc/init.d/slapd start

The old/ trick 

1. create one folder "old" in /var/lib/ldap/example.com 

2. mv all the original dbs to /old 

3. /etc/init.d/slapd restart 

4. all the db replicated from the old server 

The olcDatabase replicate trick (maybe related to the old trick since the data goes somewhere else?) 

Edit the new style configuration to enable replication, 

vi /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif

uncomment, 

olcSyncrepl: rid=013 provider=ldap://ldap-master.example.com bindmethod=simple time

 out=0 network-timeout=0 binddn="cn=ldap-admin,dc=example,dc=com" credential

 s="LDAP MASTER PASSWD" keepalive=1200:10:3 starttls=no filter="(objectclass=*)" searchbase="dc=example,dc=com" sc

 ope=sub schemachecking=off type=refreshAndPersist retry="60 +"

But you might get this error when trying to modify the database (olcSyncrepl method) 

Failed to add user to LDAP database : shadow context; no update referral

Adding samba schema to the new style conf 

Import the schema configuration into the new .d layout, 

cd /etc/ldap/

cat > samba.conf <<EOF

include          /etc/ldap/schema/core.schema

include          /etc/ldap/schema/cosine.schema

include          /etc/ldap/schema/nis.schema

include          /etc/ldap/schema/inetorgperson.schema

include          /etc/ldap/schema/samba.schema

EOF

mkdir /tmp/slapd.d/

slaptest -f samba.conf -F /tmp/slapd.d/

cp -i "/tmp/slapd.d/cn=config/cn=schema/cn={4}samba.ldif" "/etc/ldap/slapd.d/cn=config/cn=schema"

References 

Migrating an existing LDAP database to a new computer: https://ploum.net/migrating-an-existing-ldap-database-to-a-new-computer/