Complete Guide: Migrating OpenLDAP (2.4.40+) cn=config Configuration, Schema, and Database to New Server


2 views

When migrating an OpenLDAP 2.4.40+ server using dynamic cn=config configuration (as opposed to static slapd.conf), we need to transfer three critical components:

  • Database contents (entries)
  • Dynamic runtime configuration (cn=config tree)
  • Custom schema definitions

Ensure both source and destination servers have identical OpenLDAP versions installed. The target machine should have a clean OpenLDAP installation with no existing data.

# On both machines:
sudo apt-get install slapd ldap-utils
sudo systemctl stop slapd

Use ldapsearch to extract the entire configuration tree:

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -LLL -o ldif-wrap=no > config.ldif

Important: Edit the resulting config.ldif to remove:

  • Any dynamic modules (olcModuleLoad) if your new server has different paths
  • Server-specific paths (olcTLSCertificateFile, etc.)
  • Replication metadata if present

Custom schemas can be extracted separately:

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config -LLL -o ldif-wrap=no > schema.ldif

For individual custom schemas:

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn={X}custom_schema,cn=schema,cn=config -LLL -o ldif-wrap=no > custom_schema.ldif

For slapd.d backend (recommended method):

# On source server:
sudo slapcat -n 0 > config_backup.ldif
sudo slapcat -n 1 > data_backup.ldif

# On destination server:
sudo systemctl stop slapd
sudo rm -rf /etc/ldap/slapd.d/*
sudo slapadd -n 0 -F /etc/ldap/slapd.d -l config_backup.ldif
sudo slapadd -n 1 -F /etc/ldap/slapd.d -l data_backup.ldif
sudo chown -R openldap:openldap /etc/ldap/slapd.d

After migration, verify the data integrity:

sudo slapcat -n 1 | grep -c "dn:"
ldapsearch -x -b dc=example,dc=com -H ldap://localhost -s sub "(objectclass=*)" | grep numEntries

If you've added custom attributeTypes or objectClasses:

  1. Extract them from the source server as shown above
  2. Compare with default schemas to avoid conflicts
  3. Load them before importing data that uses them

Example custom schema loading:

ldapadd -Y EXTERNAL -H ldapi:/// -f custom_schema.ldif

After migration, update these in the new config.ldif:

  • Network interfaces (olcListener*)
  • TLS certificates path
  • Logging locations
  • Any IP/hostname specific configurations

Remember to restart the service:

sudo systemctl start slapd
sudo systemctl status slapd

Common issues and solutions:

# Permission issues:
sudo chown -R openldap:openldap /var/lib/ldap

# Schema validation errors:
slaptest -F /etc/ldap/slapd.d -u

# Missing indexes:
sudo slapindex -F /etc/ldap/slapd.d

When migrating an OpenLDAP server using cn=config (OLC) configuration, we need to handle three critical components:

  1. The dynamic configuration (cn=config database)
  2. Custom schema definitions
  3. The actual directory data (database files)

For cn=config based installations, we'll use slapcat to export the configuration database:

# Export configuration only
slapcat -n 0 -l config.ldif

# Verify the exported configuration
head -n 20 config.ldif

Custom schemas are stored in the cn=config tree under cn=schema,cn=config. They'll be automatically included in the previous export, but if you need to handle them separately:

# Export specific schema
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn={X}core,cn=schema,cn=config > core_schema.ldif

# Clean up the exported schema (remove operational attributes)
sed -i '/^structuralObjectClass:/d;/^entryUUID:/d;/^creatorsName:/d;/^createTimestamp:/d;/^entryCSN:/d;/^modifiersName:/d;/^modifyTimestamp:/d' core_schema.ldif

For the actual directory data (main database):

# Export main database (adjust -n parameter for your database index)
slapcat -n 1 -l data.ldif

# For very large databases, consider splitting the output
slapcat -n 1 | split -l 10000 -d - data_part_

On the new machine after installing OpenLDAP:

# First, stop the slapd service if running
systemctl stop slapd

# Clean the default configuration
rm -rf /etc/ldap/slapd.d/*

# Import the configuration
slapadd -n 0 -F /etc/ldap/slapd.d -l config.ldif

# Fix permissions
chown -R openldap:openldap /etc/ldap/slapd.d

# Import the data
slapadd -n 1 -l data.ldif

# Verify the data
slapcat -n 1 | head -n 20

After restarting the service (systemctl start slapd), verify the migration:

# Check configuration
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

# Test data access
ldapsearch -x -H ldap://localhost -b dc=example,dc=com -D "cn=admin,dc=example,dc=com" -W

If you encounter problems:

  • Check /var/log/syslog for slapd errors
  • Verify DB_CONFIG file exists in your database directory
  • Ensure all schema files are properly referenced in the configuration
  • Check for duplicate or conflicting schema definitions

Before decommissioning the old server:

  1. Configure replication to catch any changes during migration
  2. Update DNS records or load balancers
  3. Test client applications thoroughly
  4. Schedule a maintenance window for final switchover

For frequent migrations, consider this bash script template:

#!/bin/bash
# OpenLDAP Migration Script
BACKUP_DIR="/backup/ldap-migration-$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR

# Export configuration and data
slapcat -n 0 -l $BACKUP_DIR/config.ldif
slapcat -n 1 -l $BACKUP_DIR/data.ldif

# Compress and transfer to new server
tar czf $BACKUP_DIR/ldap-migration.tar.gz $BACKUP_DIR/*
scp $BACKUP_DIR/ldap-migration.tar.gz new-server:/tmp/