LDAP Service
The content is likely to be incomplete or incorrect.
- Runs on piper - piper.tardis.ed.ac.uk
- There is also an alias, ldap.tardis.ed.ac.uk.
Installation
(Usual caveats; stuff might have changed, pay attention, etc)
Install slapd, and optionally ldap-utils and ldapvi (should you want to be able to try it out from the server). The slapd package attempts to be helpful, asking a bunch of configuration questions and starting the service. Curiously, I didn't see the "don't configure slapd for me" as one of the options first time around and needed to reconfigure the package. Say "yes" to "Omit OpenLDAP server configuration?".
piper:~# /etc/init.d/slapd stop piper:~# dpkg-reconfigure slapd
Keep a copy of the default configuaration in case someone wants to see how Debian configures stuff, and copy across the main configuration file, the SSL files and the schema files that don't ship with OpenLDAP. (You might want to check this stuff, as some of it can probably be chucked. Actually, I just turfed krb5-kdc.schema because we don't use it and it suffered parsing errors. An old piece of syntax in the configuration file needed fixed too.)
piper:~# cd /etc/ldap piper:/etc/ldap# cp slapd.conf slapd.conf.dpkg piper:/etc/ldap# mkdir -p /etc/ssl/certs root@baker:~# cd /etc/ldap root@baker:/etc/ldap# scp slapd.conf root@piper:/etc/ldap root@baker:/etc/ldap# scp /etc/ssl/certs/ldapcert.pem /etc/ssl/certs/ldapkey.pem root@piper:/etc/ssl/certs root@baker:/etc/ldap# scp /etc/ssl/cacert.pem root@piper:/etc/ssl/ root@baker:/etc/ldap/schema# scp amd.schema courier.schema krb5-kdc.schema tardis.schema root@piper:/etc/ldap/schema
Also, edit /etc/default/slapd to enable all the methods of connecting by putting in the line
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
At this point it should start and stop without moaning about syntax errors. If not, see if you can fix them.
piper:/etc/ldap# /etc/init.d/slapd start Starting OpenLDAP: running BDB recovery, slapd. piper:/etc/ldap# /etc/init.d/slapd stop Stopping OpenLDAP: slapd.
Now grab a recent backup, comment out the "search" and "result" lines at the end (because the backups are generated by ldapsearch, but we're going to import them with slapadd), clear out the old database and import the backup:
piper:/etc/ldap# cp <whereever>/backup-20060225.ldif /tmp/backup-20060225.ldif piper:/etc/ldap# vi /tmp/backup-20060225.ldif <comment out search and result lines near end> piper:/etc/ldap# cd /var/lib/ldap piper:/var/lib/ldap# mkdir old piper:/var/lib/ldap# mv * old mv: cannot move `old' to a subdirectory of itself, `old/old' piper:/var/lib/ldap# slapadd -l /tmp/backup-20060225.ldif piper:/var/lib/ldap# /etc/init.d/slapd start
Now you can test it.
The backup script
The backup script had to be moved to the new server:
piper:~# mkdir -p ldap/backups piper:~# chmod og-rwx ldap baker:~# scp bin/backupldap bin/ldappasswd root@piper:/root/ldap Password: backupldap 100% 254 0.3KB/s 00:00 ldappasswd 100% 7 0.0KB/s 00:00
A cron job needs to be added for it, and the old cron job on the old server needs to be removed because it stores the backups in the same place!
Synchronising
For the baker to piper move, I used the replog option on the old server to watch for changes and grabbed a fresh backup copy and imported it as above. There were no changes on the old server (changes to our LDAP database are infrequent), so I no further synchronisation was required.
For future synchronisation, the built in LDAP Sync support in the current versions of OpenLDAP will probably be easier.
Useful stuff
To watch for attempts to use the old server you can use the debugging support in OpenLDAP. Sticking -d 260 on to the normal slapd command line worked well for me.
Files that may need updated to point to a new server:
/etc/ldap/ldap.conf /etc/pam_ldap.conf /etc/libnss-ldap.conf /root/scripts/generatemaps /etc/tardis/ldap.conf /etc/apache/vhosts/www.tardis.ed.ac.uk /etc/postfix/main.cf