LDAP - Migrate the current LDAP Database to a new domain
Here is how I migrated the current LDAP database to a new domain:
* Export the old LDAP database to ldif file.
* Delete the old databaes
* Create a new LDAP database with new domain name
* Modify the exported ldif file above to fit the new domain (the root dn)
* Import the modified ldif file into the new database
Assuming I have a new domain name:
dc=my,dc=new,dc=ldap,dc=domain
And I want to move all of the existing LDAP data to the new one.
I did the following steps:
0. Backup the old LDAP database:
# slapcat -v -l old_ldap.ldif
1. Stop the OpenLDAP server:
# service slapd stop
2. Delete old LDAP database:
# cd /var/lib/ldap
# rm -rf *
3. Make sure LDAP is not running:
# nano /var/lib/ldap/DB_CONFIG
add these following line and save:
4. Change the current LDAP settings:
+ /etc/ldapscripts/ldapscripts.conf:
...
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=my,dc=new,dc=ldap,dc=domain"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
...
+ /etc/ldap/slapd.d/cn=config/olcDatabase\=\{1\}hdb.ldif:
...
olcSuffix: dc=my,dc=new,dc=ldap,dc=domain
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=ssis,dc=edu,dc=vn" write by * none
olcAccess: {2}to * by self write by dn="cn=admin,dc=my,dc=new,dc=ldap,dc=domain" write by * read
olcRootDN: cn=admin,dc=my,dc=new,dc=ldap,dc=domain
olcRootPW:: <new administrator password>
...
5. Prepare the new LDAP Directory structure, data, new_ldap.ldif, (or modify the old_ldap.ldif with the new dn):
# Root
dn: dc=my,dc=new,dc=ldap,dc=domain
description: New LDAP BaseDN
dc: parent
o: parent.ssis.edu.vn
objectClass: top
objectClass: dcObject
objectClass: organization
structuralObjectClass: organization
# administrator
dn: cn=admin,dc=my,dc=new,dc=ldap,dc=domain
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <new administrator password>
structuralObjectClass: organizationalRole
# Subtree for Users
dn: ou=Users,dc=my,dc=new,dc=ldap,dc=domain
ou: Users
description: Parent Ldap Users
objectClass: organizationalUnit
objectClass: top
structuralObjectClass: organizationalUnit
# Subtree for Groups
dn: ou=Groups,dc=my,dc=new,dc=ldap,dc=domain
ou: Groups
description: Parent LDAP Groups
objectClass: organizationalUnit
objectClass: top
structuralObjectClass: organizationalUnit
...
6. Test the new ldif:
# slapadd -b "dc=my,dc=new,dc=ldap,dc=domain" -v -u -l new_ldap.ldif
The '-u' means run the command in test mode.
If everything's OK , the output will look something like:
added: "dc=my,dc=new,dc=ldap,dc=domain"
added: "cn=admin,dc=my,dc=new,dc=ldap,dc=domain"
added: "ou=Users,dc=my,dc=new,dc=ldap,dc=domain"
added: "ou=Groups,dc=my,dc=new,dc=ldap,dc=domain"
_#################### 100.00% eta none elapsed none fast!
7. Add the new LDAP data to the server:
# slapadd -b "dc=my,dc=new,dc=ldap,dc=domain" -v -l new_ldap.ldif
* Export the old LDAP database to ldif file.
* Delete the old databaes
* Create a new LDAP database with new domain name
* Modify the exported ldif file above to fit the new domain (the root dn)
* Import the modified ldif file into the new database
Assuming I have a new domain name:
dc=my,dc=new,dc=ldap,dc=domain
And I want to move all of the existing LDAP data to the new one.
I did the following steps:
0. Backup the old LDAP database:
# slapcat -v -l old_ldap.ldif
1. Stop the OpenLDAP server:
# service slapd stop
2. Delete old LDAP database:
# cd /var/lib/ldap
# rm -rf *
3. Make sure LDAP is not running:
# nano /var/lib/ldap/DB_CONFIG
add these following line and save:
#DB_CONFIG
set_cachesize 0 150000000 1
set_lg_regionmax 262144
set_lg_bsize 2097152
set_flags DB_LOG_AUTOREMOVE
4. Change the current LDAP settings:
+ /etc/ldapscripts/ldapscripts.conf:
...
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=my,dc=new,dc=ldap,dc=domain"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
...
+ /etc/ldap/slapd.d/cn=config/olcDatabase\=\{1\}hdb.ldif:
...
olcSuffix: dc=my,dc=new,dc=ldap,dc=domain
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=ssis,dc=edu,dc=vn" write by * none
olcAccess: {2}to * by self write by dn="cn=admin,dc=my,dc=new,dc=ldap,dc=domain" write by * read
olcRootDN: cn=admin,dc=my,dc=new,dc=ldap,dc=domain
olcRootPW:: <new administrator password>
...
5. Prepare the new LDAP Directory structure, data, new_ldap.ldif, (or modify the old_ldap.ldif with the new dn):
# Root
dn: dc=my,dc=new,dc=ldap,dc=domain
description: New LDAP BaseDN
dc: parent
o: parent.ssis.edu.vn
objectClass: top
objectClass: dcObject
objectClass: organization
structuralObjectClass: organization
# administrator
dn: cn=admin,dc=my,dc=new,dc=ldap,dc=domain
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: <new administrator password>
structuralObjectClass: organizationalRole
# Subtree for Users
dn: ou=Users,dc=my,dc=new,dc=ldap,dc=domain
ou: Users
description: Parent Ldap Users
objectClass: organizationalUnit
objectClass: top
structuralObjectClass: organizationalUnit
# Subtree for Groups
dn: ou=Groups,dc=my,dc=new,dc=ldap,dc=domain
ou: Groups
description: Parent LDAP Groups
objectClass: organizationalUnit
objectClass: top
structuralObjectClass: organizationalUnit
...
6. Test the new ldif:
# slapadd -b "dc=my,dc=new,dc=ldap,dc=domain" -v -u -l new_ldap.ldif
The '-u' means run the command in test mode.
If everything's OK , the output will look something like:
added: "dc=my,dc=new,dc=ldap,dc=domain"
added: "cn=admin,dc=my,dc=new,dc=ldap,dc=domain"
added: "ou=Users,dc=my,dc=new,dc=ldap,dc=domain"
added: "ou=Groups,dc=my,dc=new,dc=ldap,dc=domain"
_#################### 100.00% eta none elapsed none fast!
7. Add the new LDAP data to the server:
# slapadd -b "dc=my,dc=new,dc=ldap,dc=domain" -v -l new_ldap.ldif
Comments
Post a Comment