As part of planning for the future, I want to move this LDAP server to a different machine. I wanted to also migrate to using on-line configuration (OLC), where the static slapd.conf file is replaced with the cn=config online LDAP "directory". This allows configuration changes to be made at runtime without restarting slapd.
I also wanted to change from using the Berkeley DB backend to the Lightning Memory-Mapped DB (LMDB; known as just "mdb" in the configs). LMDB is what OpenLDAP recommends as it is quick (everything in memory) and easier to manage (fewer tuning options, no db files to mess with). From here, I will refer to this as "mdb" per the slapd.conf line.
After doing the migration once, leaving the backend as bdb, I found out it was easier to do all three things at once: migrate to a different server, convert from slapd.conf to OLC, and change backend to mdb.
This is a multi-stage process, but nothing too strenuous.
- Dump the directory data to an LDIF: slapcat -n 1 -l n1.ldif
- Copy n1.ldif to new machine
- Copy slapd.conf to new machine
- Edit new slapd.conf on new machine: change the line "database bdb" to "database mdb"
- Remove any bdb-specific options: idletimeout, cachesize
- Import n1.ldif: slapadd -f /etc/openldap/slapd.conf -l n1.ldif
- Convert slapd.conf to OLC: slaptest -f slapd.conf -F slapd.d ; chown -R ldap:ldap slapd.d
- Move slapd.conf out of the way: mv /etc/openldap/slapd.conf /etc/openldap/slapd.conf.old
Other complications:
- You will probably need to generate a new SSL certificate for the new server
- That may mean signing the new cert with your own (or established) CA
- Or, you can set all your client nodes to not require the cert: in /etc/openldap/ldap.conf add “TLS_REQCERT never”. Fix up the /etc/sssd/sssd.conf file similarly: add ldap_tls_reqcert = never
- Fix up your /etc/sssd/sssd.conf
- I previously wrote about migrating to SSSD from NSLCD
Note that it is pretty easy to back things out and start from scratch. To restore the new server to a "blank slate" condition, delete everything in /etc/openldap/slapd.d/
service slapd stop
cd /etc/openldap/slapd.d
rm -rf *
CAUTION: This process seems to create the n0 db with an olcRootDN of “cn=config” where it should be “cn=admin,dc=example,dc=com” (or whatever your LDAP rootDN should be; for Bright-configured clusters, that would be “cn=root,dc=cm,dc=cluster”). I.e. you need to have:
dn: olcDatabase={0}config,cn=configolcRootDN: cn=root,dc=cm,dc=cluster
but for olcRootDN, you have cn=config, instead.
To fix it, I dumped n0 and n1, deleted /etc/openldap/slapd.d, and “restored” from the dumped n0 and n1. Basically, emulating a restore from backup.
- Dump {0} to n0.ldif
- Shut down slapd
- Modify n0.ldif to have the needed olcRootDN (as above)
- Move away the old /etc/openldap/slapd.d/ directory: mv /etc/openldap/slapd.d /etc/openldap/slapd.d.BAK
- Create a new slapd.d directory: mkdir /etc/openldap/slapd.d
- Add the dumped n0.ldif as the new config: slapadd -n 0 -F /etc/openldap/slapd.d -l n0.ldif
- Fix permissions: chown -R ldap:ldap /etc/openldap/slapd.d ; chmod 700 /etc/openldap/slapd.d
These are the websites I found useful in figuring things out:
- The official OpenLDAP 2.4 Admin Guide
- This chapter about LDAP using OLC from Zytrax's book on OpenLDAP
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.