Clemson, Chris (IHG) writes:
on a regular (possibly daily) basis I need to reimport everything, and make sure that old entries are not lingering. (...)
Just after writing this, I seem to have found my answer with a properly crafted ldapdelete command:
ldapdelete -x -D "cn=Manager,dc=emea,dc=corp,dc=local" -w password -r "dc=root,dc=com"
Actually that sounds like a bad solution to your problem. Instead of the search failing, your clients will receive wrong information until you've rebuilt your database. That is, they'll be told that some people or users/groups or whatever you use your directory for, do not exist in your organization.
At our site we instead run a diff-ldif script: It takes a full LDIF dump of the current and the desired database, and produces an LDIF file which can be fed to ldapmodify. There are a few scripts like that around. I could attach ours, but it's old, tailored for our site, and uses gobs of memory (for both LDIFs). Try googling for a newer one first:-)
Anyway, an alternative if you use the cn=config database is to slapadd a new database off-line and then point your running slapd's database directory at it without taking down slapd. That gives you an "atomic" update of the database. All your clients notice is a brief wait for all outstanding operations to complete before the change can take place.
It's cumbersome though, unless someone can think of a simpler way:
Preparation:
- Put 'database config' in slapd.conf and a rootpw for it. It has default rootdn cn=config. See man slapd-config.
- If you have a DB_CONFIG file (you should), you may want to copy its contents to dbconfig directives in slapd.conf. That way you won't need to copy the DB_CONFIG file around when you create a new database directory.
- Create a cn=config directory with slapd -f slapd.conf file -F config directory. From now on start slapd with that -F instead of -f slapd.conf. (Or if you prefer slapd.conf you can make its database 'directory' directive refer to a symlink which you must keep updated to refer to the correct directory, or something like that.)
Replacing database contents:
- Make a new database directory where you'll build your new database. Copy DB_CONFIG if you didn't put it in dbconfig directives as above.
- Make a copy of your configuration, and modify it to use the new database directory. Make sure it won't touch the running slapd's data, and that it won't do any replication or other magic.
- slapadd -F new-config -l new-data.ldif. Or if you are using overlays which you want to take effect while adding data: Start another slapd with arguments -F new-config -h ldapi://<URL-escaped private socket file for that slapd>. ldapadd -H <same ldapi URL> -f new-data.ldif. Then stop that slapd.
- Finally you can ldapmodify attribute olcDbDirectory of entry olcDatabase={1}bdb,cn=config (assuming it's the first database) so it refers to your new database directory. slapd closes the old database and opens the new one. If using slapd.conf, update the directory symlink as mentioned above.