Change BaseDN in OpenLDAP
OK, I solved it myself. Here is how I migrated the current LDAP database to a new domain:
- Export the old LDAP database to ldif file.
- Delete the old databaes
- Create a new LDAP database with new domain name
- Modify the exported ldif file above to fit the new domain (the root dn)
- Import the modified ldif file into the new database
Assuming I have a new domain name, dc=my,dc=new,dc=ldap,dc=domain, and I want to move all of the existing LDAP data to the new one.
I did the following steps
Backup the old LDAP database
# slapcat -v -l old_ldap.ldifStop the OpenLDAP server
# service slapd stopDelete old LDAP database
# cd /var/lib/ldap # rm -rf *Make sure LDAP is not running
# nano /var/lib/ldap/DB_CONFIGNOTE: add these following lines and save
#DB_CONFIG set_cachesize 0 150000000 1 set_lg_regionmax 262144 set_lg_bsize 2097152 set_flags DB_LOG_AUTOREMOVEChange the current LDAP settings in the following files
/etc/ldapscripts/ldapscripts.conf... SERVER="ldap://localhost" BINDDN="cn=admin,dc=my,dc=new,dc=ldap,dc=domain" BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" .../etc/ldap/slapd.d/cn=config/olcDatabase\={1}hdb.ldif... olcSuffix: dc=my,dc=new,dc=ldap,dc=domain olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=my,dc=new,dc=ldap,dc=domain" write by * none olcAccess: {2}to * by self write by dn="cn=admin,dc=my,dc=new,dc=ldap,dc=domain" write by * read olcRootDN: cn=admin,dc=my,dc=new,dc=ldap,dc=domain olcRootPW: <new administrator password> ...
Prepare the new LDAP Directory structure, data,
new_ldap.ldif, (or modify theold_ldap.ldifwith the new dn)# Root dn: dc=my,dc=new,dc=ldap,dc=domain description: New LDAP BaseDN dc: parent o: parent.my.new.ldap.domain objectClass: top objectClass: dcObject objectClass: organization structuralObjectClass: organization # administrator dn: cn=admin,dc=my,dc=new,dc=ldap,dc=domain objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: <new administrator password> structuralObjectClass: organizationalRole # Subtree for Users dn: ou=Users,dc=my,dc=new,dc=ldap,dc=domain ou: Users description: Parent Ldap Users objectClass: organizationalUnit objectClass: top structuralObjectClass: organizationalUnit # Subtree for Groups dn: ou=Groups,dc=my,dc=new,dc=ldap,dc=domain ou: Groups description: Parent LDAP Groups objectClass: organizationalUnit objectClass: top structuralObjectClass: organizationalUnit ...Test the new ldif
# slapadd -b "dc=my,dc=new,dc=ldap,dc=domain" -v -u -l new_ldap.ldifNOTE: the
-umeans run the command in test mode
If everything's OK, the output will look something like:
added: "dc=my,dc=new,dc=ldap,dc=domain"
added: "cn=admin,dc=my,dc=new,dc=ldap,dc=domain"
added: "ou=Users,dc=my,dc=new,dc=ldap,dc=domain"
added: "ou=Groups,dc=my,dc=new,dc=ldap,dc=domain"
_#################### 100.00% eta none elapsed none fast!
Add the new LDAP data to the server
# slapadd -b "dc=my,dc=new,dc=ldap,dc=domain" -v -l new_ldap.ldif
You can check for updates in my blog post about this issue: http://iambusychangingtheworld.blogspot.com/2013/10/ldap-create-new-ldap-directory.html
Very useful guide! For future reference, I found that: After modification of point 5b, the test (as described in point 7), will report a failing crc32 value (the checksum is located on line 2 of that same file);
Edit 06/2/2018: As per suggestion of PF4Public, You might be able to remove those lines as a whole.
In any other case: And you will have to generate a new crc32 (I am using Debian Jessy, your path might be different)
Fast route:
tail -n +3 /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}mdb.ldif
and pasting the result inside an online crc32 calculator. The calculated crc32 value replaces the old value of located on line 2 of the mdb.ldif.
The slow/thorough route is described here: https://gist.github.com/Shaltz/1d65a07a0901a36fb7f1
After adding the new_ldap.ldif make sure the openldap user has rights on the generated database.
chown -R openldap:openldap /var/lib/ldap