OpenLDAP Backup Strategies: slapcat vs ldapsearch – Performance, Syntax and Recovery Considerations


3 views

When working with OpenLDAP (specifically version 2.4.23 as mentioned), administrators have two primary approaches for backup operations:

# Basic slapcat backup example:
slapcat -f /etc/openldap/slapd.conf -b "dc=db_1" -l db_1_backup.ldif

# Corresponding restore with slapadd:
slapadd -l db_1_backup.ldif

Key characteristics:

  • Operates directly on Berkeley DB files (backend storage)
  • Outputs complete database contents including operational attributes
  • Doesn't require authentication (runs as OpenLDAP system user)
  • Restore requires database to be empty and slapd stopped
# Basic ldapsearch backup:
ldapsearch -D "cn=root,dc=db_1" -W -b "dc=db_1" "(objectClass=*)" -LLL > backup.ldif

# Corresponding restore with ldapadd:
ldapadd -x -D "cn=root,dc=db_1" -W -f backup.ldif

Key characteristics:

  • Works through LDAP protocol (port 389)
  • Requires proper authentication and access rights
  • Can perform selective backups using search filters
  • Restore can be done while server is running

Data Fidelity

slapcat preserves:

  • Internal database IDs
  • Replication metadata (contextCSN)
  • Entry modification timestamps

ldapsearch typically doesn't return operational attributes unless explicitly requested.

Performance Considerations

For large directories:

  • slapcat is generally faster (direct file access)
  • ldapsearch may cause memory spikes during large exports
  • slapcat doesn't impact client connections
#!/bin/bash
DATE=$(date +%Y%m%d)
BACKUP_DIR="/var/backups/ldap"
CONF="/etc/openldap/slapd.conf"
BIND_DN="cn=admin,dc=example,dc=com"

# Option 1: slapcat backup
slapcat -f $CONF -b "dc=example,dc=com" -l $BACKUP_DIR/full_$DATE.ldif
gzip $BACKUP_DIR/full_$DATE.ldif

# Option 2: ldapsearch backup
ldapsearch -x -D "$BIND_DN" -W -b "dc=example,dc=com" "(objectClass=*)" > \
  $BACKUP_DIR/search_$DATE.ldif

# Cleanup old backups
find $BACKUP_DIR -type f -mtime +30 -delete

Complete Database Recovery

# Requires slapd to be stopped
/etc/init.d/slapd stop
slapadd -l full_backup.ldif
/etc/init.d/slapd start

Partial Restore via ldapadd

# Can run while server is operational
ldapadd -x -D "$BIND_DN" -W -f partial.ldif
  • Use slapcat for complete system backups (cron jobs)
  • Use ldapsearch for partial/migration backups
  • Consider encrypting backup files containing sensitive data
  • Test restore procedures regularly

When working with OpenLDAP (version 2.4.23-34.el6), administrators have two primary approaches for database backups:

# Slapcat method (direct database access)
slapcat -f /etc/openldap/slapd.conf -b "dc=db_1" -l db_1_backup.ldif

# Ldapsearch method (LDAP protocol access) 
ldapsearch -D "cn=root,dc=db_1" -W -b "dc=db_1" "dc=db_1" -LLL > db_1_backup2.ldif

slapcat/slapadd characteristics:

  • Operates at database backend level (Berkeley DB)
  • No authentication required (direct file access)
  • Produces complete database dump including operational attributes
  • Restore requires slapd service stoppage

ldapsearch/ldapadd characteristics:

  • Works through LDAP protocol layer
  • Requires binding with credentials
  • Output may miss internal operational attributes
  • Can restore without service interruption

For crontab-based backup scripts, consider these practical factors:

#!/bin/bash
# Recommended slapcat backup script
BACKUP_DIR="/var/backups/ldap"
DATE=$(date +%Y%m%d)
slapcat -b "dc=example,dc=com" -l "${BACKUP_DIR}/ldap_backup_${DATE}.ldif"
gzip "${BACKUP_DIR}/ldap_backup_${DATE}.ldif"
find "${BACKUP_DIR}" -name "ldap_backup_*.ldif.gz" -mtime +30 -delete

Slapadd restoration:

systemctl stop slapd
slapadd -l full_backup.ldif
systemctl start slapd

Ldapadd restoration:

ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f partial_backup.ldif

For large-scale deployments, consider these optimizations:

  • Parallel backups using multiple slapcat processes with different search bases
  • Incremental backups using ldapsearch with timestamp filters
  • Binary backup alternatives (e.g., db_archive for Berkeley DB backends)

Important security notes for both methods:

  • slapcat outputs may contain sensitive operational attributes
  • ldapsearch requires proper ACL configuration to access all data
  • Backup files should be encrypted in transit and at rest