How To Backup the cn=config Database for slapd.d
Learn how to properly backup the cn=config database for slapd.d to protect your LDAP server configuration settings.
Updated at June 17th, 2025
Table of Contents
Date: 11-04-2022
OpenLDAP uses an internal, in-memory database (cn=config) to hold its configuration during operation. That database is initially loaded from an LDIF (text representation of LDAP data) file and stored in the OpenLDAP data directory /var/symas/openldap-data/. From that point on the contents of cn=config is maintained through the normal LDAP utilities or LDAP browsers.
Changes made to cn=config are immediately (dynamically) activated, and no restart of OpenLDAP is necessary.
cn=config can be dumped to an external LDIF file for review using the same slapcat command used to take back-ups of the LDAP database(s) hosted on the server.
Step-by-step guide
The following assumes that
- Symas OpenLDAP is installed in the default location
- /opt/symas/bin is on your path
- Your configuration directory is located in /opt/symas/etc/openldap/slapd.d
1. Open a shell as a user with appropriate permissions (or have sudo access)
2. Execute the following command:
slapcat -n0 -l <backup_file_name>.ldif3. Save the resulting .ldif file to a safe, secondary location
NOTE: The LDIF representation stored in the data directory SHOULD NEVER BE EDITED DIRECTLY!
ldapmodifyCLI commands or an LDAP Browser should be used to make changes. They use the LDAP protocol and maintain the data integrity of thecn=configdatabase. An editor does not.
Requirements
- The user running the backup must have the appropriate permissions (usually "root" or another privileged user set up with the appropriate permissions[^root]) to back up the database
- The slapd service does not have to be stopped while executing the backup
The slapcat utility
The slapcat utility is the preferred utility for exporting OpenLDAP databases to the common LDIF file format. Do not use the ldapsearch utility to create your backup ldif. It produces a file in the incorrect order for reloading via slapadd.
The following options are used for backing up the configuration database:
| Option | Value | Required | Purpose |
|---|---|---|---|
| -n | 0 | Y | Designates the database number to back up. cn=config is always 0 |
| -l | File path/name | Y | Path and name of the backup file to be generated by slapcat
|
| -F | Path to slapd.d (config) directory | N | Path to the configuration directory |
Related man Pages
Notes
[root]: It is HIGHLY recommended you create a "special user" and group for OpenLDAP. Permissions can be granted to members of the group to perform most normal maintenance operations to the service. This reduces the number of users with "root" privileges, adding to server security. The slapd service should also be run under that special user's privileges (user and group.)