Symas OpenLDAP Knowledge Base

HowTo Backup the Configuration Database

OpenLDAP uses an internal, in-memory, database (cn=config) to hold its configuration during operation. That database is initially loaded from an LDIF (text representation of LDAP data) file initially, and stored in the OpenLDAP data directory, /var/symas/openldap-data/. From that point on the contents of cn=config is maintained through the normal LDAP utilities or LDAP browsers.

Changes made to cn=config are immediately (dynamically) activated.

cn=config can be dumped to an external LDIF file for review using the same slapcat command used to take back-ups of the LDAP database(s) hosted on the server.

Step-by-step guide

The following assumes that Symas OpenLDAP is installed in the default location, /opt/symas/bin is on your path and that your configuration directory is located in /opt/symas/etc/openldap/slapd.d.

  1. Open a shell as a user with appropriate permissions (or have sudo access)

  2. Execute the following:

        slapcat -n0 -l <backup_file_name>.ldif
  1. Save the resulting .ldif file to a safe, secondary location

NOTE: The LDIF representation stored in the data directory SHOULD NEVER BE EDITED DIRECTLY! ldapmodify CLI commands or an LDAP Browser should be used to make changes. They use the LDAP protocol and maintain the data integrity of the cn=config database. An editor does not.

Requirements

  • The user running the backup must have the appropriate permissions (usually “root” or another privileged user set up with the appropriate permissions1) to back up the database
  • The slapd service does not have to be stopped while executing the backup

The slapcat utility

The slapcat utility is the preferred utility for exporting OpenLDAP databases to the common LDIF file format.  Do not use the ldapsearch utility to create your backup ldif. It produces a file in the incorrect order for reloading via slapadd.

The following options are used for backing up the configuration database:

Option Value Required Purpose
-n 0 Y Designates the database number to back up. cn=config is always 0
-l File path/name Y Path and name of the backup file to be generated by slapcat
-F Path to slapd.d (config) directory N Path to the configuration directory

Notes


  1. It is HIGHLY recommended you create a “special user” and group for OpenLDAP. Permissions can be granted to members of the group to perform most normal maintenance operations to the service. This reduces the number of users with “root” privileges, adding to server security. The slapd service should also be run under that special user’s privileges (user and group).↩︎