Migration OpenLDAP 2.3 to 2.4

Current LDAP servers are CentOS 5.4 and OpenLDAP 2.3 with slapd.conf. I will replace these as Ubuntu 12.04 and OpenLDAP 2.4 with slapd-config. I write notes so I tested the migration.

System envrironment

Current is like this.

New will be next.

Step of migration is next.

  1. Prepare a new master as slave of current

  1. Change a new master as slave to master

  1. Prepare a new slave

  1. Stop current LDAPs

sammary of setting up

I tried to convert with slaptest. slaptest is needed to convert custom schema to ldif. But this method has next failures.

  • Additional schemas are not included

  • Custom and additiona modules are not loaded

  • Database setting is not converted all

  • Access control is not converted

  • Global settings as LogLevel and TLS Certification etc are not converted

  • Overlay as like ppolicy and syncrepl etc are not converted

In other words, it means almost useless with slaptest, except of converting custom schema to LDIF. So I basically have set up using ldapvi.

Install packages

I had installed next packages.

  • slapd

  • ldap-utils

  • ldapvi

  • nslcd

Debconf asked these parameters when some packages installed. Second level items are set up values this time.


  • Administrator password

  • Confirm password


  • LDAP server URI

  • LDAP server search base

    • dc=example,dc=org

  • Check server’s SSL vertificatte

    • never

Convert additional schema to LDIF

I converted additional schema to LDIF with slaptest after I installed slapd. I made temporary directory and copying files as slapd.conf, schema files as local.schema, sudo.schema, openssh-lpk.schema from current slave server of CentOS5.4.

$ sudo service slapd stop
$ cd /tmp
$ mkdir -p slapd.d/cn\=config/cn\=schema
$ cp -i slapd.conf .
$ cp -i local.schema sudo.schema openssh-lpk.schema slapd.d/cn\=config/cn\=schema/
$ sudo slaptest -f slapd.conf -F /tmp/slapd.d/
$ cd /tmp/slapd.d/cn\=config/cn\=schema
$ sudo mv -i cn\=\{4\}sudo.ldif sudo.ldif
$ sudo mv -i cn\=\{6\}local.ldif local.ldif
$ sudo mv -i cn\=\{7\}openssh-lpk.ldif openssh-lpk.ldif

Don’t forget to delete last 9 lines of each generated LDIF files.

I copied certification and private key files from current slave server. For example, it is as follows.

  • /etc/ca-certificates/myserver.key

  • /etc/ca-certificates/myserver.crt

Using ldapvi

ldapvi is “is an interactive LDAP client for Unix terminals. Using it, you can update LDAP entries with a text editor”. Debian package name is the same.

For example of changing it is as follows.

$ sudo ldapvi -Y EXTERNAL -h ldapi:// -b cn=config olcDatabase={1}hdb olcRootDN
0 olcDatabase={1}hdb,cn=config
olcRootDN: cn=admin,dc=nodomain       # <- before
olcRootDN: cn=admin,dc=example,dc=org # <- after
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
      1 entry read
add: 0, rename: 0, modify: 1, delete: 0
Action? [yYqQvVebB*rsf+?] y

Action of ldapvi are follows:

  • y commit changes

  • e open editor again

  • Y commit, ignoring errors

  • v view changes as LDIF change records

  • V view changes as ldapvi change records

  • + rewrite file to include schema comments

  • b show login dialog and rebind

  • B toggle SASL

  • * set SASL mechanism

  • s skip one entry

  • f forget all deletions

  • q save changes as LDIF and quit

  • Q discard changes and quit

see also ldapvi User Manual .

Detail of Setting up as slave using ldapvi will be posted next time.