On Wednesday, 7 April 2010 02:45:46 hai wu wrote:
I have some questions:
When I look at manpage for slapcat from openldap-servers-2.3.27-5 in Centos5.0, it says:
LIMITATIONS In general, your slapd(8) should not be running (at least, not in read- write mode) when you do this to ensure consistency of the database.
But when I look at its manpage from openldap-servers-2.3.43-3.el5 in Centos5.4, it says:
LIMITATIONS For some backend types, your slapd(8) should not be running (at least, not in read-write mode) when you do this to ensure consistency of the database. It is always safe to run slapcat with the slapd-bdb(5), slapd-hdb(5), and slapd-null(5) backends.
Question 1: Is it always safe to run slapcat with slapd running even for openldap-servers-2.3.27-5 in Centos5?
Yes. The documentation was lacking in this regard, and the documentation was fixed to be more accurate in later 2.3.x releases such as 2.3.43.
(documentation can also get bug fixes :-)).
The administration guide for OpenLDAP 2.4 at http://www.openldap.org/doc/admin24/maintenance.html explains more on this, I quote:
"2. Periodically run slapcat and back up the LDIF file:
Slapcat can be run while slapd is active. However, one runs the risk of an inconsistent database- not from the point of slapd, but from the point of the applications using LDAP. For example, if a provisioning application performed tasks that consisted of several LDAP operations, and the slapcat took place concurrently with those operations, then there might be inconsistencies in the LDAP database from the point of view of that provisioning application and applications that depended on it. One must, therefore, be convinced something like that won't happen. One way to do that would be to put the database in read-only mode while performing the slapcat. The other disadvantage of this approach is that the generated LDIF files can be rather large and the accumulation of the day's backups could add up to a substantial amount of space.
You can use *slapcat*(8) to generate an LDIF file for each of your *slapd*(8) back-bdb or back-hdb databases.
slapcat -f slapd.conf -b "dc=example,dc=com"
For back-bdb and back-hdb, this command may be ran while slapd(8) is running." Question 2: Is the above also true for openldap-servers-2.3.27-5 in Centos5?
Yes, see (1).
Question 3: How to put the database in read-only mode while performing the slapcat? Is there anyone who's doing this just to make sure for consistent backup?
It's only really practical if you are using back-config, then you can do an LDAP write to cn=config for the database to put it in read-only, do the backup, and put it back read-write, without restarting slapd.
However, since 2.1.x, I have been doing hot backups by backing up the Berkeley DB files, and the BDB transaction logs, according to the Berkeley DB documentation. This should give finer granularity (and thus better consistency of the contents). All my test restores worked, but I didn't have too much time to test specific point-in-time recovery, and I have never had to do a "production" restore.
In 2.0.x days, we *did* restart slapd in read-only, but that was mainly due to not having sufficiently reliable replication (syncrepl supplants the need to do read-only exports to prime a slave).
To get the best solution, you need to provide your requirements, or test the options and decide for yourself.
Regards, Buchan