OpenLDAP Migration Tutorial [Step-by-Step]


OpenLDAP, Rocky Linux

OpenLDAP Migration - Overview

We can migrate the LDAP configurations from one machine to another using Backup and Restore method. As far as the LDAP server version is the same on both machines, it will not create any issues. The LDAP Migration scripts are available on RHEL/CentOS 7 or older OS default repositories. However, this is not available on the latest RHEL/CentOS 8 and Rocky Linux 8 operating systems. However, if it is necessary, we can still use the migrationtools packages from RHEL/CentOS 7 version.

 

This article is created for OpenLDAP users on Rocky Linux 8. Please refer to the following articles for installing and configuring OpenLDAP on Rocky Linux.

Configure OpenLDAP on Rocky Linux 8 [Step-by-Step]

Configure OpenLDAP Master Slave replication Rocky Linux 8

Configure multi-master replication OpenLDAP [Step-by-Step]

Migrate LDAP from one machine to another

We can simply migrate OpenLDAP configurations from one machine to another by creating backups and restoring them on the other machine. In this section, we will discuss migration using backups. The following steps are to be followed on both the old server and the new server.

On the old server:

1. Stop the service

[root@ldapmaster ~]# systemctl stop slapd

 

2. Export all schema and cn=config

[root@ldapmaster ~]# slapcat -n 0 -l slapdbackup.conf

 

3. Export all user data that you keep in the LDAP server.

In my case, the DB number was 2 (-n 2)

[root@ldapmaster ~]# slapcat -n 2 -l configbackup.ldif

 

4. Copy the files slapdbackup.conf and configbackup.ldif to the new server.

 

On the new server:

Install the OpenLDAP packages. Please refer Configure OpenLDAP on Rocky Linux 8 to install. You just need to complete the installations Step 1. After the installation, follow the below steps to restore the backup files copied from the old server.

 

1. Stop the service

[root@ldapmasternew ~]# systemctl stop slapd

 

2. Remove all the files under the directory /etc/openldap/slapd.d/

[root@ldapmasternew ~]# rm -rfv /etc/openldap/slapd.d/*

 

3. Restore the backup files.

Using the slapadd command, we can restore the backup files slapdbackup.confand configbackup.ldif as below:

[root@ldapmasternew ~]# slapadd -n 0 -F /etc/openldap/slapd.d -l slapdbackup.conf
_#################### 100.00% eta   none elapsed            none fast!         
Closing DB...
[root@ldapmasternew ~]# 


[root@ldapmasternew ~]# slapadd -n 2 -F /etc/openldap/slapd.d -l configbackup.ldif 
_#################### 100.00% eta   none elapsed            none fast!         
Closing DB...
[root@ldapmasternew ~]#

4. Fix file permissions and start the service

[root@ldapmasternew ~]# chown ldap. /etc/openldap/slapd.d/* -R

[root@ldapmasternew ~]# systemctl start slapd

Now, you can test the LDAP users on the new server using ldapsearch

[root@ldapmasternew ~]# ldapsearch -x cn=testuser -b dc=example,dc=com | head
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=testuser
# requesting: ALL
#

# testuser, People, example.com
dn: uid=testuser,ou=People,dc=example,dc=com

 

LDAP Migration Tools - Installation

The LDAP Migration Tools are a collection of Perl scripts.  MigrationTools are used for migrating users, groups, aliases, hosts, netgroups, networks, protocols, RPCs, and services from existing name services. They are mainly used to convert configuration files to the LDIF format.

 

1. Perl  Installation

The packagemigrationtools are a set of Perl scripts. So, we need to install the package perl by using the following command:

[root@localhost1 ~]# dnf install perl

 

2. Install migrationtools by downloading the rpm

Once the perl package and its default modules are installed, Let us install the migrationtools. As we have mentioned in the previous section, we can install using yum/dnf on RHEL 7 or older versions. The migrationtools are not available for RHEL 8/ Rocky Linux 8 versions. If we really need to use the migrationtools, we can install them from CentOS 7 repository.

We can download the migrationtools from the below URLs:

http://mirror.centos.org/altarch/7/os/aarch64/Packages/migrationtools-47-15.el7.noarch.rpm
https://rpmfind.net/linux/centos/7.9.2009/os/x86_64/Packages/migrationtools-47-15.el7.noarch.rpm

Sample Output:

[root@localhost1 ~]# wget https://rpmfind.net/linux/centos/7.9.2009/os/x86_64/Packages/migrationtools-47-15.el7.noarch.rpm

Once the package is downloaded, install it using rpm as shown below:

[root@localhost1 ~]# rpm -ivh migrationtools-47-15.el7.noarch.rpm
warning: migrationtools-47-15.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:migrationtools-47-15.el7         ################################# [100%]
[root@localhost1 ~]#

The installed scripts will be under the folder /usr/share/migrationtools/

[root@localhost1 ~]# ls /usr/share/migrationtools/
migrate_aliases.pl              migrate_all_nisplus_offline.sh  migrate_base.pl    migrate_netgroup_byhost.pl  migrate_profile.pl
migrate_all_netinfo_offline.sh  migrate_all_nisplus_online.sh   migrate_common.ph  migrate_netgroup_byuser.pl  migrate_protocols.pl
migrate_all_netinfo_online.sh   migrate_all_offline.sh          migrate_fstab.pl   migrate_netgroup.pl         migrate_rpc.pl
migrate_all_nis_offline.sh      migrate_all_online.sh           migrate_group.pl   migrate_networks.pl         migrate_services.pl
migrate_all_nis_online.sh       migrate_automount.pl            migrate_hosts.pl   migrate_passwd.pl           migrate_slapd_conf.pl
[root@localhost1 ~]# 

In the next section, we will learn to migrate local users to LDAP using scriptsmigrate_passwd.pl migrate_group.pl. You can read the text file  /usr/share/doc/migrationtools-47/migration-tools.txt  on the server for more information about the uses of all other scripts.

 

Different scripts exist to translate each system file into LDIF records. The information in each file is stored in a different organizational unit directly beneath the base suffix (defined in migrate_common.ph) in the directory. Each ou listed next is used by convention. The nss_ldap library can be configured to pull information from other locations, as we will see later. Currently, the migration scripts support translating:

  • /etc/fstab (stored in ou=Mounts)
  • /etc/hosts (stored in ou=Hosts)
  • /etc/passwd and /etc/shadow (stored in ou=People)
  • /etc/group (stored in ou=Group)
  • /etc/protocols (stored in ou=Protocols)
  • /etc/rpc (stored in ou=Rpc)
  • /etc/services (stored in ou=Services)
  • /etc/networks (stored in ou=Networks)
  • netgroups (stored in ou=Netgroups)

 

Migrate local users to OpenLDAD server

In this section, let us learn how to migrate the local users to OpenLDAP server using migrationtools.

 

1. Create users and set the password

Create users using useradd command and set the password with chpasswd command. You can also migrate the existing users. If so, jump to the next step.

[root@localhost1 ~]# useradd testldapuser1
[root@localhost1 ~]# useradd testldapuser2

[root@localhost1 ~]# echo testldapuser1:test_password | chpasswd
[root@localhost1 ~]# echo testldapuser2:test_password | chpasswd

 

 

2. Export users and groups

In this step, let us copy only the users that need to be moved to the LDAP server. In the example, we have created testldapuserX, and we are going to use this in the article. We need to copy both the entries frompasswd and  group file.

[root@localhost1 ~]# grep "testldapuser" /etc/group > /root/groups
[root@localhost1 ~]# grep "testldapuser" /etc/passwd > /root/users

 

3. Convert users and groups

Now, we need to create an LDIF file from the user entries. The shadow file entries will be automatically pulled by the migratetoolsscript. The following example will create both users.ldif and groups.ldif from the copied files.

[root@localhost1 ~]# /usr/share/migrationtools/migrate_passwd.pl /root/users /root/users.ldif
[root@localhost1 ~]# /usr/share/migrationtools/migrate_group.pl /root/groups /root/groups.ldif

 

4. Import the users and groups to OpenLDAP server

We have already created the LDIF files for users and groups. We can manually edit the LDIF files if you need any changes such as UID, GID, etc. In the below example, we import the creation user configurations using ldapadd command. This has created the users testldapuser1 and testldapuser2.

[root@localhost1 ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/users.ldif
Enter LDAP Password: 
adding new entry "uid=testldapuser1,ou=People,dc=example,dc=com"
adding new entry "uid=testldapuser2,ou=People,dc=example,dc=com"



[root@localhost1 ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f /root/groups.ldif
Enter LDAP Password: 
adding new entry "cn=testldapuser1,ou=Group,dc=example,dc=com"
adding new entry "cn=testldapuser2,ou=Group,dc=example,dc=com"

 

5. Search users in LDAP server

We can test the above changes using ldapsearch command. The command will search the users from OpenLDAP server with domain example.com

[root@localhost1 ~]# ldapsearch -x cn=testldapuser1 -b dc=example,dc=com | head
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=testldapuser1
# requesting: ALL
#

# testldapuser1, People, example.com
dn: uid=testldapuser1,ou=People,dc=example,dc=com
[root@localhost1 ~]#

 

Summary

In this article, we have learned to migrate  LDAP configurations from one machine to another using Backup and Restore method. Also, we have installed migration tools by downloading the rpm and migrated local users to LDAP server.

 

References

LDAP MigrationTools

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment