Change BaseDN in OpenLDAP
I was trying to rename my OpenLDAP's baseDN
from:
dc=abc,dc=com
to:
dc=xyz,dc=edu
I did modify some conf files:
/etc/ldap/slapd.d/cn\=config/olcDatabase={1}hdb.ldif
/etc/ldapscripts/ldapscripts.conf
and the configuration of phpLDAPadmin:
- config.php
to the new root dn
But after I restarted the slapd and lighttpd services, even though I could login to the admin interface of phpLDAPAdmin (admin binddn), but I was not able to do anything.
I also tried to run some ldap command lines but it didn't work.
What else do I have to do? Or anything wrong with my method?
Answer
OK, I solved it myself. Here is how I migrated the current LDAP database to a new domain:
- Export the old LDAP database to ldif file.
- Delete the old databaes
- Create a new LDAP database with new domain name
- Modify the exported ldif file above to fit the new domain (the root dn)
- Import the modified ldif file into the new database
Assuming I have a new domain name, dc=my,dc=new,dc=ldap,dc=domain, and I want to move all of the existing LDAP data to the new one.
I did the following steps
Backup the old LDAP database
# slapcat -v -l old_ldap.ldifStop the OpenLDAP server
# service slapd stopDelete old LDAP database
# cd /var/lib/ldap # rm -rf *Make sure LDAP is not running
# nano /var/lib/ldap/DB_CONFIGNOTE: add these following lines and save
#DB_CONFIG set_cachesize 0 150000000 1 set_lg_regionmax 262144 set_lg_bsize 2097152 set_flags DB_LOG_AUTOREMOVEChange the current LDAP settings in the following files
/etc/ldapscripts/ldapscripts.conf... SERVER="ldap://localhost" BINDDN="cn=admin,dc=my,dc=new,dc=ldap,dc=domain" BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" .../etc/ldap/slapd.d/cn=config/olcDatabase\={1}hdb.ldif... olcSuffix: dc=my,dc=new,dc=ldap,dc=domain olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=my,dc=new,dc=ldap,dc=domain" write by * none olcAccess: {2}to * by self write by dn="cn=admin,dc=my,dc=new,dc=ldap,dc=domain" write by * read olcRootDN: cn=admin,dc=my,dc=new,dc=ldap,dc=domain olcRootPW: <new administrator password> ...
Prepare the new LDAP Directory structure, data,
new_ldap.ldif, (or modify theold_ldap.ldifwith the new dn)# Root dn: dc=my,dc=new,dc=ldap,dc=domain description: New LDAP BaseDN dc: parent o: parent.my.new.ldap.domain objectClass: top objectClass: dcObject objectClass: organization structuralObjectClass: organization # administrator dn: cn=admin,dc=my,dc=new,dc=ldap,dc=domain objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: <new administrator password> structuralObjectClass: organizationalRole # Subtree for Users dn: ou=Users,dc=my,dc=new,dc=ldap,dc=domain ou: Users description: Parent Ldap Users objectClass: organizationalUnit objectClass: top structuralObjectClass: organizationalUnit # Subtree for Groups dn: ou=Groups,dc=my,dc=new,dc=ldap,dc=domain ou: Groups description: Parent LDAP Groups objectClass: organizationalUnit objectClass: top structuralObjectClass: organizationalUnit ...Test the new ldif
# slapadd -b "dc=my,dc=new,dc=ldap,dc=domain" -v -u -l new_ldap.ldifNOTE: the
-umeans run the command in test mode
If everything's OK, the output will look something like:
added: "dc=my,dc=new,dc=ldap,dc=domain"
added: "cn=admin,dc=my,dc=new,dc=ldap,dc=domain"
added: "ou=Users,dc=my,dc=new,dc=ldap,dc=domain"
added: "ou=Groups,dc=my,dc=new,dc=ldap,dc=domain"
_#################### 100.00% eta none elapsed none fast!
Add the new LDAP data to the server
# slapadd -b "dc=my,dc=new,dc=ldap,dc=domain" -v -l new_ldap.ldif
You can check for updates in my blog post about this issue: http://iambusychangingtheworld.blogspot.com/2013/10/ldap-create-new-ldap-directory.html