How to migrate openLDAP from one VPS to a new one

H

Let’s assume that you have two identical machines, one with an existing LDAP configuration in a production environment, and the second being a new clean VPS. Even if you add more resources to the new VPS, in theory, it doesn’t matter, as long as the software requirements are satisfied, such as the operating system and LDAP dependencies. For this, you could follow the official guide from OpenLDAP, which emphasize the following commands. This is not a complete guide on how to install and configure a LDAP server from scratch to functional, which we will cover in another post, but more of an install of the minimum required software to restore the configuration from another LDAP.

For a VPS based on Debian/Ubuntu, input:

sudo apt install slapd ldap-utils
apt-get install samba-doc

For a VPS based on CentOS, use:

yum install openldap openldap-servers

LDAP contains two layers of data, the first one being the schema, which describe how your data will be used and placed in LDAP, while the second layer is the data itself. After the previous step is complete, just remember that we need to copy the following components of LDAP in order to replicate the existing OpenLDAP server:

  • Slapcat databases
  • User data (such as schemas)
  • Configuration files (either the cn=config configuration or the slapd.conf file).

On the old server

1) Stop Slapd on the old server.

2) Slapcat the databases. We will need to export two databases, so we will be using the “n” tag:

slapcat -n 0 -l /backup/file/path/slapd.conf

3) Afterward, we will export the schema and the cn=config to another file:

slapcat -n 1 -l /backup/file/path/database.ldif

On the new server

1) Copy these files to the new server, but ensure that the LDAP configuration is identical to make the migration easier.

2) Stop Slapd on the new VPS.

systemctl stop slapd

3) Delete the content of the following folder

/etc/ldap/slapd.d

4) Use the command slapadd to import the configuration to the new server

slapadd -n 0 -l /backup/file/path/slapd.conf

5) And then import the database

slapadd -n 1 -l /backup/file/path/database.ldif

5.5) If the above command doesn’t work, you can also try:

db_recover -v -h backup/file/path/db.ldif

6) If the commands from above don’t work, you can also try:

slapadd -n 0 -F /etc/ldap/slapd.d -l /backup/file/path/config.file

and

slapadd -n 1 -l /backup/file/path/database.ldif

7) Change the folder permissions for the following directories, and make the owner the user ldap:

chown openldap:openldap /etc/ldap/slapd.d
chmod 755 /etc/ldap/slapd.d
chown /var/lib/ldap
chmod 755 /var/lib/ldap

8) If you have TLS certificates, you must copy the certificates and keys from the old server to the new server in the exact folder and change the permissions to match the old server, otherwise, it won’t work.

TLSCACertificateFile /etc/ldap/demoCA/cacert.pem

TLSCertificateFile /etc/ldap/servercert.pem

TLSCertificateKeyFile /etc/ldap/serverkey.pem

9) Start the Slapd service

systemctl start slapd

10) Check if the Slapd service is working properly

systemctl status slapd

11) You can see if everything is working properly through

ldapsearch -x -b "dc=test,dc=de" -h NEW_SLAPD
ldapsearch -x -b "dc=test,dc=de" uid=USER* -h NEW_SLAPD
ldapsearch -D "uid=USER,ou=men,dc=test,dc=de" -W -b "ou=men,dc=test,dc=de" -h NEW_SLAPD
ldapsearch -D "cn=ldap-admin,dc=test,dc=de" -W -b "ou=men,dc=test,dc=de" -h NEW_SLAPD

12) Enable the daemon to start at boot time

systemctl enable slapd

Recent Posts

Archives

Categories