title: Backing up LDAP data link: https://onemoretech.wordpress.com/2011/01/06/backing-up-ldap-data/ author: lembobro description: post_id: 83 created: 2011/01/06 16:52:18 created_gmt: 2011/01/06 16:52:18 comment_status: open post_name: backing-up-ldap-data status: publish post_type: post

Backing up LDAP data

There are two ways to back up LDAP data. One is to use the LDAP server’s native data dump utility. In OpenLDAP this is slapcat. The other is to use ldapsearch. Some helpful advice on using either follows.

Depending upon the directory server product you’re using, a direct database dump is usually accomplished using a special utility or script provided by the vendor. In the case of OpenLDAP, the slapcat utility will do a direct dump of the data held in the server’s embedded database. A major limitation in using this utility is that on some systems it only works when slapd (the LDAP server daemon) is shut down (this is not the case on the version that ships with Red Hat Enterprise Linux 5 a/k/a RHEL 5, although you’re cautioned to put the directory in read-only mode if you’re going to run it while on-line to avoid losing any changes that might be made while the backup is going on).

The syntax for using slapcat is found in the manual. For example:

slapcat -b "dc=example,dc=com" -f /etc/openldap/slapd.conf -l /var/tmp/backup.ldif

I always include both the “-b” (base dn) and “-f” (config file) options, even though just the former will do in most cases — just in case.

The resulting backup file from a slapcat can be used to restore a directory database using the slapadd command. Like slapcat, slapadd is only for offline use — it will not work if the slapd daemon is running. The procedure followed would be to entirely remove the old database files (in the default RHEL 5 configuration these would be under /var/lib/ldap, be sure not to remove any DB_CONFIG file you may find there) and then run:

slapadd -b "dc=example,dc=com" -f /etc/openldap/slapd.conf -l /var/tmp/backup.ldif

An online backup can be taken using the ldapsearch command. This can be somewhat more time consuming than the offline method, and so that should be taken into account in scheduling. Online restoration from an ldapsearch dump is usually done using the ldapadd or ldapmodify utilities, although a full restore can be done from an ldapsearch dump using slapadd.

Here’s a typical command:

`ldapsearch -x -LLL -h ldap.example.com -D "cn=manager,dc=example,dc=com"
-w adminpass -S createtimestamp -b "dc=example,dc=com" -s sub "objectclass=*"

/var/tmp/backup.ldif`

This will create a dump of all entries in the directory from the base dn specified down. The “-LLL” tells the utility not to output any comments or operational information in returning its results. The “-w” allows inclusion of the bind password on the command line, which is useful when running in a script (using -W would cause ldapsearch to prompt for the password).

Search results are normally returned by the directory server unsorted. Because of this an “inferior” entry can sometimes appear before its “superior”. For example, “uid=someuserid,ou=people,dc=example,dc=com” might come back before “ou=example,dc=example,dc=com”. When trying to restore the directory tree using that kind of result, the directory server will error out because of the missing “superior” object. To avoid this you can use the “-S createtimestamp” option to cause ldapsearch to return its results sorted by the createtimestamp value of each entry. For the most part you can depend on a superior entry being older than an inferior one, thus avoiding problems when restoring.

Copyright 2004-2019 Phil Lembo