OpenLDAP/slapd

From AdminWiki

(Difference between revisions)
Jump to: navigation, search
 

Latest revision as of 15:46, 24 May 2006

OpenLDAP is an open source implementation of LDAP utilities, client libraries and a server daemon, which is called slapd.


slapd supports various backends, which include bdb and gdbm, as well as a Perl and SQL backend. bdb and gdbm will store data in slapds own way, while Perl can be used to acquire data from complex external data sources. slapd can host multiple backends in one process - you can do that, but it complicates everything, and this is not what you want when messing with LDAP.

To manipulate the slapd database, there are two set of tools:

  • ldap*, which use the standard LDAP protocol
  • slap*, which manipulate the database directly, and therefore cannot be used against a running slapd (except for slapcat, but this is unsafe, too)

LDIF files produced by either set of tools usually cannot be imported using the other without modifications. From slapcat to ldapadd these modifications are merely removing the operational attributes (e.g. egrep -v "(modifiersName:|modifyTimestamp:|entryCSN:|entryUUID:|creatorsName:|createTimestamp:|structuralObjectClass:)").


When using the bdb backend, the usual bdb notes apply: be careful with your database. For slapd this means:

  • dont expect > 1000 entries to be extremly fast
  • make regular (plain-text) backups of your database (better run them more than once a day if you have lots of entries)

For a large setup, you could even go as far as dumping your database every night, and then reimporting it.

Upgrading from 2.1

Prepare to re-roll your database. Usually you will need to switch to the new schema files supplied with OpenLDAP 2.3, and usually your dataset will not be compatible with them. Takes >4h for a reasonable set of data.

Upgrading from 2.2

Most often only your schema files need updates/fixes, so this could be easy - or tricky.

Upgrading from/to other LDAP Servers

The only real problem will be the password attribute: some Directory implementations dont store it in string form (e.g. public/private key only), others dont store it cleartext (e.g. OpenLDAP by default).

Beneath that, this should be a matter of an ldapsearch against the old server and an ldapadd against the new one.

Personal tools