When you can't configure OpenLDAP replication but need a reliable backup solution, LDIF export/import becomes the most practical approach. This method creates a complete snapshot of your directory data that can be restored on another server.
The most straightforward method uses ldapsearch to dump your entire LDAP directory:
ldapsearch -x -H ldap://your.ldap.server -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -w yourpassword > full_backup.ldif
Create a daily cron job that:
- Executes the export
- Compresses the output
- Transfers it to your backup server
Example script (/usr/local/bin/ldap_backup.sh):
#!/bin/bash
DATE=$(date +%Y%m%d)
BACKUP_FILE="/backups/ldap/ldap_backup_${DATE}.ldif.gz"
ldapsearch -x -H ldap://your.ldap.server -b "dc=example,dc=com" \
-D "cn=admin,dc=example,dc=com" -w yourpassword | gzip > ${BACKUP_FILE}
scp ${BACKUP_FILE} backupuser@backup.server:/remote/backup/path/
On your secondary server, use ldapadd to restore data:
zcat full_backup.ldif.gz | ldapadd -x -H ldap://backup.ldap.server \
-D "cn=admin,dc=example,dc=com" -w backupadminpassword
For directories with millions of entries:
- Use
slapcatfor faster exports (requires server access) - Split large LDIF files before import
- Consider parallel processing
Always include verification steps in your script:
# Count entries in backup
ENTRIES=$(zgrep -c "^dn:" ${BACKUP_FILE})
# Compare with live server count
LIVE_COUNT=$(ldapsearch -x -H ldap://your.ldap.server -b "dc=example,dc=com" \
-D "cn=admin,dc=example,dc=com" -w yourpassword | grep "^dn:" | wc -l)
if [ "$ENTRIES" -lt "$((LIVE_COUNT - 10))" ]; then
echo "Backup appears incomplete" | mail -s "LDAP Backup Alert" admin@example.com
fi
For more advanced scenarios:
- phpLDAPadmin: GUI-based export/import
- Apache Directory Studio: Visual LDIF management
- ldap2ldif: Specialized conversion tool
Remember to:
- Encrypt LDIF files containing sensitive data
- Use SSH keys for automated transfers
- Secure backup server credentials
When working with OpenLDAP in production environments where you can't modify the master server's configuration (like enabling syncrepl replication), we need alternative approaches for maintaining a hot standby server. The LDIF export/import method provides a straightforward solution that works within these constraints.
Here's a complete implementation using standard LDAP tools that can be automated via cron:
#!/bin/bash
# Daily OpenLDAP backup and sync script
BACKUP_DIR="/var/ldap_backups"
REMOTE_SERVER="backup.ldap.example.com"
BASE_DN="dc=example,dc=com"
BIND_DN="cn=admin,dc=example,dc=com"
# Export from master
ldapsearch -x -D "$BIND_DN" -W -b "$BASE_DN" -LLL > "$BACKUP_DIR/ldap_backup_$(date +%Y%m%d).ldif"
# Compress the backup
gzip "$BACKUP_DIR/ldap_backup_$(date +%Y%m%d).ldif"
# Transfer to backup server (using rsync over SSH)
rsync -avz -e ssh "$BACKUP_DIR/" "admin@$REMOTE_SERVER:/remote/backup/path/"
# Import on backup server (executed remotely via SSH)
ssh admin@$REMOTE_SERVER "ldapadd -x -D '$BIND_DN' -W -c -f /remote/backup/path/ldap_backup_$(date +%Y%m%d).ldif"
For larger directories, consider these optimizations:
- Use parallel ldapsearch with separate OUs:
ldapsearch -x -D "$BIND_DN" -W -b "ou=users,$BASE_DN" - Add
-E '!ttl=3600'to control time-to-live for entries - Implement checksum verification after transfer
Make your script robust with proper error checking:
if ! ldapsearch -x -D "$BIND_DN" -W -b "$BASE_DN" -LLL > "$BACKUP_FILE"; then
echo "LDAP export failed" | mail -s "LDAP Backup Alert" admin@example.com
exit 1
fi
- Store credentials in separate config files with restricted permissions
- Use TLS for all LDAP operations (
-ZZflag) - Implement proper log rotation for backup files
- Consider using
slapcatinstead ofldapsearchfor complete data fidelity (requires root access)