如何克隆一个OpenLDAP数据库

时间:2022-10-30 14:35:18

I know this is more like a serverfault question than a * question, but since serverfault isn't up yet, here I go:

我知道这更像是一个serverfault问题,而不是*问题,但是由于serverfault还没有出现,我在这里:

I'm supposed to move an application from one redhat server to another, and without very good knowledge of the internal workings of the application, how would I move the OpenLDAP database from the one machine to the other, with schemas and all.

我应该将一个应用程序从一个redhat服务器转移到另一个服务器,并且不了解应用程序的内部工作原理,我将如何将OpenLDAP数据库从一台机器转移到另一台机器,以及模式和所有的内容。

What files would I need to copy over? I believe the setup is pretty standard.

我需要复制哪些文件?我相信这个设置是相当标准的。

6 个解决方案

#1


38  

The problem with SourceRebels answer is that slapcat(8) does not guarantee that the data is ordered for ldapadd(1)/ldapmodify(1). From the man page :

SourceRebels的问题是slapcat(8)不能保证数据是为ldapadd(1)/ldapmodify(1)排序的。从手册页:

The  LDIF  generated  by this tool is suitable for use with slapadd(8).
As the entries are in database order, not superior  first  order,  they
cannot be loaded with ldapadd(1) without first being reordered.

Plus using a tool that uses the backend files to dump the database and then using a tool that loads the ldif through the ldap protocol is not very consistent.

另外,使用一个使用后端文件转储数据库的工具,然后使用一个通过ldap协议加载ldif的工具是不太一致的。

I'd suggest to use a combination of slapcat(8)/slapadd(8) OR ldapsearch(1)/ldapmodify(1). My preference would go to the latter as it does not need shell access to the ldap server or moving files around.

我建议使用slapcat(8)/slapadd(8)或ldapsearch(1)/ldapmodify(1)的组合。我更喜欢后者,因为它不需要对ldap服务器进行shell访问,也不需要移动文件。

For example, dump database from a master server under dc=master,dc=com and load it in a backup server

例如,在dc=master、dc=com下从主服务器转储数据库,并将其加载到备份服务器中

$ ldapsearch -Wx -D "cn=admin_master,dc=master,dc=com" -b "dc=master,dc=com" -H ldap://my.master.host -LLL > ldap_dump-20100525-1.ldif
$ ldapadd -Wx -D "cn=admin_backup,dc=backup,dc=com" -H ldap://my.backup.host -f ldap_dump-20100525-1.ldif

The -W flag above prompts for ldap admin_master password however since we are redirecting output to a file you wont see the prompt - just an empty line. Go ahead and type your ldap admin_master password and and it will work. First line of your output file will need to be removed (Enter LDAP Password:) before running ldapadd.

然而,上面的- w标志提示输入ldap admin_master密码,因为我们正在将输出重定向到一个文件,您看不到提示符——只有空行。继续输入ldap admin_master密码,它就会工作。在运行ldapadd之前,需要删除输出文件的第一行(输入LDAP密码:)。

Last hint, ldapadd(1) is a hard link to ldapmodify(1) with the -a (add) flag turned on.

最后一个提示,ldapadd(1)是打开-a (add)标志的ldapmodify(1)的硬链接。

#2


15  

ldapsearch and ldapadd are not necessarily the best tools to clone your LDAP DB. slapcat and slapadd are much better options.

ldapsearch和ldapadd不一定是克隆LDAP DB的最佳工具。slapcat和slapadd是更好的选择。

Export your DB with slapcat:

用slapcat导出数据库:

slapcat > ldif

Import the DB with slapadd (make sure the LDAP server is stopped):

使用slapadd导入DB(确保LDAP服务器停止):

slapadd -l ldif

#3


8  

Some appointments:

一些任命:

  • Save your personalized schemas and objectclasses definitions on your new server. You can look for your included files at slapd.conf to obtain it, for example (this is a part of my slapd.conf):

    在新服务器上保存个性化的模式和objectclasses定义。您可以在slapd中查找包含的文件。以获得它为例(这是我的slap .conf的一部分):

    include /etc/ldap/schema/core.schema

    包括/etc/ldap/schema/core.schema

  • Include your personalized schemas and objectclasses in your new openLDAP installation.

    在新的openLDAP安装中包含您的个性化模式和objectclass。

  • Use slapcat command to export your full LDAP tree to a single/various ldif files.

    使用slapcat命令将完整的LDAP树导出到单个/各种ldif文件。

  • Use ldapadd to import the ldif files on to your new LDAP installation.

    使用ldapadd将ldif文件导入到新的LDAP安装中。

#4


6  

I prefer copy the database through the protocol:

我更喜欢通过协议复制数据库:

first of all be sure you have the same schemas on both servers.

首先要确保在两个服务器上都有相同的模式。

-dump the database with ldapsearch:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" > domain.ldif

-用ldapsearch转储数据库:ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" > domain.ldif

-and import it in the new server:
ldapmodify -Wx -D "cn=admin,dc=domain" -a -f domain.ldif

-在新服务器中导入:ldapmodify -Wx -D "cn=admin,dc=domain" -f域。ldif。

in oneline:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" | ldapmodify -w pass -x -D "cn=admin,dc=domain" -a

在oneline: ldapsearch -LLL -Wx -D“cn=admin,dc=domain”-b“dc=domain”| ldapmodify -w pass -x -D“cn=admin,dc=domain”-a。

By using the bin/ldap* commands you are talking directly with the server while using bin/slap* commands you are dealing with the backend files

通过使用bin/ldap*命令,您可以在使用bin/slap*命令时直接与服务器对话,同时处理后端文件

#5


2  

Thanks, Vish. Worked like a charm! I edited the command:

谢谢,Vish。工作就像一个魅力!我编辑命令:

ldapsearch -z max -LLL -Wx -D "cn=Manager,dc=domain,dc=fr" -b "dc=domain,dc=fr" >/tmp/save.ldif

ldapmodify -c -Wx -D "cn=Manager,dc=domain,dc=fr" -a -f /tmp/save.ldif

Just added the -z max to avoid the size limitation and the -c to go on even if the target domain already exists (my case).

只要添加- zmax,就可以避免大小限制,即使目标域已经存在(我的例子),也可以继续使用-c。

#6


2  

(Not enough reputation to write a comment...)

(没有足够的声誉写评论……)

Ldapsearch opens a connection to the LDAP server. Slapcat instead accesses the database directly, and this means that ACLs, time and size limits, and other byproducts of the LDAP connection are not evaluated, and hence will not alter the data. (Matt Butcher, "Mastering OpenLDAP")

Ldapsearch打开到LDAP服务器的连接。Slapcat直接访问数据库,这意味着acl、时间和大小限制以及LDAP连接的其他副产物没有被评估,因此不会改变数据。(Matt屠夫”,掌握OpenLDAP”)

#1


38  

The problem with SourceRebels answer is that slapcat(8) does not guarantee that the data is ordered for ldapadd(1)/ldapmodify(1). From the man page :

SourceRebels的问题是slapcat(8)不能保证数据是为ldapadd(1)/ldapmodify(1)排序的。从手册页:

The  LDIF  generated  by this tool is suitable for use with slapadd(8).
As the entries are in database order, not superior  first  order,  they
cannot be loaded with ldapadd(1) without first being reordered.

Plus using a tool that uses the backend files to dump the database and then using a tool that loads the ldif through the ldap protocol is not very consistent.

另外,使用一个使用后端文件转储数据库的工具,然后使用一个通过ldap协议加载ldif的工具是不太一致的。

I'd suggest to use a combination of slapcat(8)/slapadd(8) OR ldapsearch(1)/ldapmodify(1). My preference would go to the latter as it does not need shell access to the ldap server or moving files around.

我建议使用slapcat(8)/slapadd(8)或ldapsearch(1)/ldapmodify(1)的组合。我更喜欢后者,因为它不需要对ldap服务器进行shell访问,也不需要移动文件。

For example, dump database from a master server under dc=master,dc=com and load it in a backup server

例如,在dc=master、dc=com下从主服务器转储数据库,并将其加载到备份服务器中

$ ldapsearch -Wx -D "cn=admin_master,dc=master,dc=com" -b "dc=master,dc=com" -H ldap://my.master.host -LLL > ldap_dump-20100525-1.ldif
$ ldapadd -Wx -D "cn=admin_backup,dc=backup,dc=com" -H ldap://my.backup.host -f ldap_dump-20100525-1.ldif

The -W flag above prompts for ldap admin_master password however since we are redirecting output to a file you wont see the prompt - just an empty line. Go ahead and type your ldap admin_master password and and it will work. First line of your output file will need to be removed (Enter LDAP Password:) before running ldapadd.

然而,上面的- w标志提示输入ldap admin_master密码,因为我们正在将输出重定向到一个文件,您看不到提示符——只有空行。继续输入ldap admin_master密码,它就会工作。在运行ldapadd之前,需要删除输出文件的第一行(输入LDAP密码:)。

Last hint, ldapadd(1) is a hard link to ldapmodify(1) with the -a (add) flag turned on.

最后一个提示,ldapadd(1)是打开-a (add)标志的ldapmodify(1)的硬链接。

#2


15  

ldapsearch and ldapadd are not necessarily the best tools to clone your LDAP DB. slapcat and slapadd are much better options.

ldapsearch和ldapadd不一定是克隆LDAP DB的最佳工具。slapcat和slapadd是更好的选择。

Export your DB with slapcat:

用slapcat导出数据库:

slapcat > ldif

Import the DB with slapadd (make sure the LDAP server is stopped):

使用slapadd导入DB(确保LDAP服务器停止):

slapadd -l ldif

#3


8  

Some appointments:

一些任命:

  • Save your personalized schemas and objectclasses definitions on your new server. You can look for your included files at slapd.conf to obtain it, for example (this is a part of my slapd.conf):

    在新服务器上保存个性化的模式和objectclasses定义。您可以在slapd中查找包含的文件。以获得它为例(这是我的slap .conf的一部分):

    include /etc/ldap/schema/core.schema

    包括/etc/ldap/schema/core.schema

  • Include your personalized schemas and objectclasses in your new openLDAP installation.

    在新的openLDAP安装中包含您的个性化模式和objectclass。

  • Use slapcat command to export your full LDAP tree to a single/various ldif files.

    使用slapcat命令将完整的LDAP树导出到单个/各种ldif文件。

  • Use ldapadd to import the ldif files on to your new LDAP installation.

    使用ldapadd将ldif文件导入到新的LDAP安装中。

#4


6  

I prefer copy the database through the protocol:

我更喜欢通过协议复制数据库:

first of all be sure you have the same schemas on both servers.

首先要确保在两个服务器上都有相同的模式。

-dump the database with ldapsearch:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" > domain.ldif

-用ldapsearch转储数据库:ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" > domain.ldif

-and import it in the new server:
ldapmodify -Wx -D "cn=admin,dc=domain" -a -f domain.ldif

-在新服务器中导入:ldapmodify -Wx -D "cn=admin,dc=domain" -f域。ldif。

in oneline:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" | ldapmodify -w pass -x -D "cn=admin,dc=domain" -a

在oneline: ldapsearch -LLL -Wx -D“cn=admin,dc=domain”-b“dc=domain”| ldapmodify -w pass -x -D“cn=admin,dc=domain”-a。

By using the bin/ldap* commands you are talking directly with the server while using bin/slap* commands you are dealing with the backend files

通过使用bin/ldap*命令,您可以在使用bin/slap*命令时直接与服务器对话,同时处理后端文件

#5


2  

Thanks, Vish. Worked like a charm! I edited the command:

谢谢,Vish。工作就像一个魅力!我编辑命令:

ldapsearch -z max -LLL -Wx -D "cn=Manager,dc=domain,dc=fr" -b "dc=domain,dc=fr" >/tmp/save.ldif

ldapmodify -c -Wx -D "cn=Manager,dc=domain,dc=fr" -a -f /tmp/save.ldif

Just added the -z max to avoid the size limitation and the -c to go on even if the target domain already exists (my case).

只要添加- zmax,就可以避免大小限制,即使目标域已经存在(我的例子),也可以继续使用-c。

#6


2  

(Not enough reputation to write a comment...)

(没有足够的声誉写评论……)

Ldapsearch opens a connection to the LDAP server. Slapcat instead accesses the database directly, and this means that ACLs, time and size limits, and other byproducts of the LDAP connection are not evaluated, and hence will not alter the data. (Matt Butcher, "Mastering OpenLDAP")

Ldapsearch打开到LDAP服务器的连接。Slapcat直接访问数据库,这意味着acl、时间和大小限制以及LDAP连接的其他副产物没有被评估,因此不会改变数据。(Matt屠夫”,掌握OpenLDAP”)