Backup and restore procedures
Here you can find information about the backup procedure for the OpenLDAP service configured by the debops.slapd Ansible role as well as tips about restoring the backed-up data.
The debops.slapd role installs the slapd-snapshot shell script that can be used to create periodic LDIF snapshots of the databases used by the OpenLDAP service.
By default, three cron jobs will be configured by the role to create
daily (7 days), weekly (4-5 weeks) and monthly (12 months) snapshots of all
OpenLDAP databases found (ignoring the "frontend" database or any databases
olcReadOnly attribute present). This can be controlled using the
default variables. Alternatively, the periodic cron jobs can be
disabled, and the slapd-snapshot script can be executed as
to create current snapshot of the OpenLDAP databases in LDIF format; previous
snapshots are automatically removed in this case with assumption that they have
been transferred to a remote storage by other means.
The slapd-snapshot script will enable and disable read-only mode for
each database, with some caveats. The
cn=config database is not backed-up
read-only, because read-only mode cannot be disabled without stopping the
service. The databases that have the
olcReadOnly attribute defined (enabled
or disabled) are not backed up automatically.
The snapshots are stored in the
/var/backups/slapd/ directory as
compressed tarballs. After finishing the snapshot, the
slapd-snapshot script will change ownership of the created tarballs
backup:backup UNIX account and group. This account can then encrypt
the tarballs via its own set of scripts, using GnuPG asymmetric encryption, to
prepare them to be sent to a remote location (this functionality is not
implemented by the debops.slapd role). The slapd-snapshot
script will automatically remove periodic
files before creating new iterations to preserve disk space.
The LDAP server has crashed and burned, but you have the backup snapshots available, how to restore them? The approach described here assumes that all OpenLDAP server configuration was performed using the debops.slapd role and is still available in the inventory; only the backup of the main LDAP databass is needed.
This procedure can also be used to migrate LDAP directory between OpenLDAP installations.
Set up a new OpenLDAP cluster, select one host as the restore point.
scp data.ldif slapd-host: ssh slapd-host sudo systemctl stop slapd.service sudo rm -rf /var/lib/ldap/* sudo slapadd -F /etc/ldap/slapd.d -n 1 -l data.ldif -w # cluster sudo slapadd -F /etc/ldap/slapd.d -n 1 -l data.ldif # standalone sudo chown openldap:openldap /var/lib/ldap/* sudo systemctl start slapd.service
After a while, data should be synchronized between all nodes in the cluster.
Create a new OpenLDAP server and configure it using DebOps. If it's a cluster of servers, make sure that after applying the configuration the synchronization happens correctly, for example by adding and removing an OpenLDAP object on one host, and noticing it appearing and disappearing on the other(s).
Select one host as the backup importer. Copy the contents of the main LDAP database to it via scp to have the data available on the host locally.
Stop the OpenLDAP service on the host:
systemctl stop slapd.service
Remove the existing database files in the
/var/lib/ldap/directory and any other auxiliary directories, if you use multiple databases/DITs.
Import the backed up LDIF dataset to the OpenLDAP server using the slapadd command. If you use multiple databases, make sure that you use the correct database number during import.
If you use a clustered OpenLDAP setup, use the
-wflag to ensure that the imported LDAP objects have the correct attributes to override the synchronization data from other cluster nodes. Otherwise, the import node will have its data wiped after synchronizing with the other cluster nodes.
Import of the main database in clustered setup:
slapadd -F /etc/ldap/slapd.d -n 1 -l data.ldif -w
Import of the main database in standalone setup:
slapadd -F /etc/ldap/slapd.d -n 1 -l data.ldif
Set the correct UNIX account and UNIX group ownership of the OpenLDAP database(s), for example:
chown openldap:openldap /var/lib/ldap/*
Start the OpenLDAP service:
systemctl start slapd.service
The OpenLDAP cluster should now synchronize new LDAP objects imported into the LDAP directory.