Migrating OpenLDAP


At Sirius, we eat our own cooking (as the Italians say... No 'Dog Food' here!), which means our own infrastructure is built from the world's greatest Open Source software!

I'm an Open Source Support Engineer, and part of my job is keeping our own internal systems up to date. This week it was the turn of our Identity Management system, which is built around OpenLDAP.

LDAP (Lightweight Directory Access Protocol) is the 'language' that Directory Servers 'speak' and provides user identification and authentication. Microsoft’s Active Directory is based on it, as are almost all other proprietary Directory Servers. Whenever one of our team wants to log in to something, use any of our systems, or even check their email the system asks the Directory Server for permission and only lets the team member in if their username and password are correct. Unlike Active Directory OpenLDAP doesn’t charge per user.

We have used OpenLDAP since our founding in 1998, and have found it rock-solid, lightning fast, and incredibly easy to maintain. In fact it's so easy to just forget it's even there, as it has performed flawlessly for over two decades now! Anyway, it was time to bump OpenLDAP to the latest production version on our Linux Servers, and I thought I'd share just how simple and painless the whole operation was.

Here's an overview of the process, and I've got to tell you, it makes it seem way more complicated than it is!

  • Shut down OpenLDAP (at an appropriate time! My shift is outside business hours. Of course with a cluster you just do each one in turn.)
  • Export the OpenLDAP database to LDIF (LDAP Data Interchange Format).
  • Do the upgrade and restart OpenLDAP.
  • Update slapd (the LDAP 'daemon').
  • Remove the old database.
  • Import the LDIF.
  • Bring OpenLDAP back up.
  • Check that everything's working!

So here is exactly what I did:

OpenLDAP keeps our directory in its database, but the configuration is in text files like most Open Source programs. Or at least it was. In recent versions of OpenLDAP configuration has moved into a database too, which is clever... It's pretty simple to create the database from legacy configuration files:

sudo mkdir /etc/ldap/slapd.d

sudo slaptest -f slapd.conf -F slapd.d

So the first database is now the configuration and the second one is the database as usual, so we cat the output into two separate files and copy them to our new OpenLDAP server:

sudo slapcat -n 0 -l config.ldif

sudo slapcat -n 1 -l database.ldif

On the new server we just do the opposite but first delete anything in /etc/ldap/slapd.d or else this won’t work:

sudo slapadd -F /etc/ldap/slapd.d -n 0 -l config.ldif

sudo slapadd -F /etc/ldap/slapd.d -n 1 -l database.ldif

While we're here, a personal note... I’ve found that 'shelldap' is a good way of browsing through the database, or you could use something like GOsa.

Happy days – we’ve now migrated our OpenLDAP database onto a new server, and without even breaking a sweat!