OpenLDAP Migration - Overview
We can migrate the LDAP configurations from one machine to another using Backup and Restore method. As far as the LDAP server version is the same on both machines, it will not create any issues. The LDAP Migration scripts are available on RHEL/CentOS 7 or older OS default repositories. However, this is not available on the latest RHEL/CentOS 8 and Rocky Linux 8 operating systems. However, if it is necessary, we can still use the migrationtools packages from RHEL/CentOS 7 version.
This article is created for OpenLDAP users on Rocky Linux 8. Please refer to the following articles for installing and configuring OpenLDAP on Rocky Linux.
Configure OpenLDAP on Rocky Linux 8 [Step-by-Step]
Migrate LDAP from one machine to another
We can simply migrate OpenLDAP configurations from one machine to another by creating backups and restoring them on the other machine. In this section, we will discuss migration using backups. The following steps are to be followed on both the old server and the new server.
On the old server:
1. Stop the service
[root@ldapmaster ~]# systemctl stop slapd
2. Export all schema and cn=config
[root@ldapmaster ~]# slapcat -n 0 -l slapdbackup.conf
3. Export all user data that you keep in the LDAP server.
In my case, the DB number was 2 (-n 2
)
[root@ldapmaster ~]# slapcat -n 2 -l configbackup.ldif
4. Copy the files slapdbackup.conf
and configbackup.ldif
to the new server.
On the new server:
Install the OpenLDAP packages. Please refer Configure OpenLDAP on Rocky Linux 8 to install. You just need to complete the installations Step 1. After the installation, follow the below steps to restore the backup files copied from the old server.
1. Stop the service
[root@ldapmasternew ~]# systemctl stop slapd
2. Remove all the files under the directory /etc/openldap/slapd.d/
[root@ldapmasternew ~]# rm -rfv /etc/openldap/slapd.d/*
3. Restore the backup files.
Using the slapadd
command, we can restore the backup files slapdbackup.conf
and configbackup.ldif
as below:
[root@ldapmasternew ~]# slapadd -n 0 -F /etc/openldap/slapd.d -l slapdbackup.conf _#################### 100.00% eta none elapsed none fast! Closing DB... [root@ldapmasternew ~]# [root@ldapmasternew ~]# slapadd -n 2 -F /etc/openldap/slapd.d -l configbackup.ldif _#################### 100.00% eta none elapsed none fast! Closing DB... [root@ldapmasternew ~]#
4. Fix file permissions and start the service
[root@ldapmasternew ~]# chown ldap. /etc/openldap/slapd.d/* -R [root@ldapmasternew ~]# systemctl start slapd
Now, you can test the LDAP users on the new server using ldapsearch
[root@ldapmasternew ~]# ldapsearch -x cn=testuser -b dc=example,dc=com | head
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=testuser
# requesting: ALL
#
# testuser, People, example.com
dn: uid=testuser,ou=People,dc=example,dc=com
LDAP Migration Tools - Installation
The LDAP Migration Tools are a collection of Perl scripts. MigrationTools are used for migrating users, groups, aliases, hosts, netgroups, networks, protocols, RPCs, and services from existing name services. They are mainly used to convert configuration files to the LDIF format.
1. Perl Installation
The packagemigrationtools
are a set of Perl scripts. So, we need to install the package perl
by using the following command:
[root@localhost1 ~]# dnf install perl
2. Install migrationtools by downloading the rpm
Once the perl
package and its default modules are installed, Let us install the migrationtools. As we have mentioned in the previous section, we can install using yum/dnf on RHEL 7 or older versions. The migrationtools are not available for RHEL 8/ Rocky Linux 8 versions. If we really need to use the migrationtools, we can install them from CentOS 7 repository.
We can download the migrationtools from the below URLs:
http://mirror.centos.org/altarch/7/os/aarch64/Packages/migrationtools-47-15.el7.noarch.rpm
https://rpmfind.net/linux/centos/7.9.2009/os/x86_64/Packages/migrationtools-47-15.el7.noarch.rpm
Sample Output:
[root@localhost1 ~]# wget https://rpmfind.net/linux/centos/7.9.2009/os/x86_64/Packages/migrationtools-47-15.el7.noarch.rpm
Once the package is downloaded, install it using rpm
as shown below:
[root@localhost1 ~]# rpm -ivh migrationtools-47-15.el7.noarch.rpm
warning: migrationtools-47-15.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Verifying... ################################# [100%]
Preparing... ################################# [100%]
Updating / installing...
1:migrationtools-47-15.el7 ################################# [100%]
[root@localhost1 ~]#
The installed scripts will be under the folder /usr/share/migrationtools/
[root@localhost1 ~]# ls /usr/share/migrationtools/ migrate_aliases.pl migrate_all_nisplus_offline.sh migrate_base.pl migrate_netgroup_byhost.pl migrate_profile.pl migrate_all_netinfo_offline.sh migrate_all_nisplus_online.sh migrate_common.ph migrate_netgroup_byuser.pl migrate_protocols.pl migrate_all_netinfo_online.sh migrate_all_offline.sh migrate_fstab.pl migrate_netgroup.pl migrate_rpc.pl migrate_all_nis_offline.sh migrate_all_online.sh migrate_group.pl migrate_networks.pl migrate_services.pl migrate_all_nis_online.sh migrate_automount.pl migrate_hosts.pl migrate_passwd.pl migrate_slapd_conf.pl [root@localhost1 ~]#
In the next section, we will learn to migrate local users to LDAP using scriptsmigrate_passwd.pl
migrate_group.pl.
You can read the text file /usr/share/doc/migrationtools-47/migration-tools.txt on the server for more information about the uses of all other scripts.
Different scripts exist to translate each system file into LDIF records. The information in each file is stored in a different organizational unit directly beneath the base suffix (defined in migrate_common.ph) in the directory. Each ou
listed next is used by convention. The nss_ldap
library can be configured to pull information from other locations, as we will see later. Currently, the migration scripts support translating:
/etc/fstab
(stored inou=Mounts
)/etc/hosts
(stored inou=Hosts
)/etc/passwd
and/etc/shadow
(stored inou=People
)/etc/group
(stored inou=Group
)/etc/protocols
(stored inou=Protocols
)/etc/rpc
(stored inou=Rpc
)/etc/services
(stored inou=Services
)/etc/networks
(stored inou=Networks
)netgroups
(stored inou=Netgroups
)
Migrate local users to OpenLDAD server
In this section, let us learn how to migrate the local users to OpenLDAP server using migrationtools
.
1. Create users and set the password
Create users using useradd
command and set the password with chpasswd
command. You can also migrate the existing users. If so, jump to the next step.
[root@localhost1 ~]# useradd testldapuser1 [root@localhost1 ~]# useradd testldapuser2 [root@localhost1 ~]# echo testldapuser1:test_password | chpasswd [root@localhost1 ~]# echo testldapuser2:test_password | chpasswd
2. Export users and groups
In this step, let us copy only the users that need to be moved to the LDAP server. In the example, we have created testldapuserX, and we are going to use this in the article. We need to copy both the entries frompasswd
and group
file.
[root@localhost1 ~]# grep "testldapuser" /etc/group > /root/groups [root@localhost1 ~]# grep "testldapuser" /etc/passwd > /root/users
3. Convert users and groups
Now, we need to create an LDIF file from the user entries. The shadow file entries will be automatically pulled by the migratetools
script. The following example will create both users.ldif
and groups.ldif
from the copied files.
[root@localhost1 ~]# /usr/share/migrationtools/migrate_passwd.pl /root/users /root/users.ldif [root@localhost1 ~]# /usr/share/migrationtools/migrate_group.pl /root/groups /root/groups.ldif
4. Import the users and groups to OpenLDAP server
We have already created the LDIF files for users and groups. We can manually edit the LDIF files if you need any changes such as UID, GID, etc. In the below example, we import the creation user configurations using ldapadd
command. This has created the users testldapuser1
and testldapuser2.
[root@localhost1 ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif Enter LDAP Password: adding new entry "uid=testldapuser1,ou=People,dc=example,dc=com" adding new entry "uid=testldapuser2,ou=People,dc=example,dc=com" [root@localhost1 ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/groups.ldif Enter LDAP Password: adding new entry "cn=testldapuser1,ou=Group,dc=example,dc=com" adding new entry "cn=testldapuser2,ou=Group,dc=example,dc=com"
5. Search users in LDAP server
We can test the above changes using ldapsearch
command. The command will search the users from OpenLDAP server with domain example.com
[root@localhost1 ~]# ldapsearch -x cn=testldapuser1 -b dc=example,dc=com | head
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=testldapuser1
# requesting: ALL
#
# testldapuser1, People, example.com
dn: uid=testldapuser1,ou=People,dc=example,dc=com
[root@localhost1 ~]#
Summary
In this article, we have learned to migrate LDAP configurations from one machine to another using Backup and Restore method. Also, we have installed migration tools by downloading the rpm and migrated local users to LDAP server.
References