HowTo Backup the Configuration Database
OpenLDAP uses an internal, in-memory, database
cn=config) to hold its configuration during operation.
That database is initially loaded from an LDIF (text representation of
LDAP data) file initially, and stored in the OpenLDAP data directory,
/var/symas/openldap-data/. From that point on the contents
cn=config is maintained through the normal LDAP
utilities or LDAP browsers.
Changes made to
cn=config are immediately (dynamically)
cn=config can be dumped to an external LDIF file for
review using the same
slapcat command used to take back-ups
of the LDAP database(s) hosted on the server.
NOTE: The LDIF representation stored in the data directory SHOULD NEVER BE EDITED DIRECTLY!
ldapmodifyCLI commands or an LDAP Browser should be used to make changes. They use the LDAP protocol and maintain the data integrity of the
cn=configdatabase. An editor does not.
- The user running the backup must have the appropriate permissions (usually “root” or another privileged user set up with the appropriate permissions1) to back up the database
- The slapd service does not have to be stopped while executing the backup
slapcat utility is the preferred utility for
exporting OpenLDAP databases to the common LDIF file format. Do not use
ldapsearch utility to create your backup ldif. It
produces a file in the incorrect order for reloading via
The following options are used for backing up the configuration database:
|-n||0||Y||Designates the database number to back up.
|-l||File path/name||Y||Path and name of the backup file to be generated by
|-F||Path to slapd.d (config) directory||N||Path to the configuration directory|
The following assumes that Symas OpenLDAP is installed in the default location, /opt/symas/bin is on your path and that your configuration directory is located in /opt/symas/etc/openldap/slapd.d.
Open a shell as a user with appropriate permissions (or have sudo access)
Execute the following:
`slapcat -n0 -l <backup_file_name>.ldif`
Save the resulting .ldif file to a safe, secondary location
It is HIGHLY recommended you create a “special user” and group for OpenLDAP. Permissions can be granted to members of the group to perform most normal maintenance operations to the service. This reduces the number of users with “root” privileges, adding to server security. The
slapdservice should also be run under that special user’s privileges (user and group).↩︎