I have an openldap server I want to clone it to another linux server. However, I can't access it by login but can just run ldapsearch because this source openldap server only open port 389. Now I installed openldap-servers package to target linux server, then what? I appreciate if anybody can instruct me or direct me to useful documents.
I would backup the database from the old server and restore it to the new one. Old Server {PATH}openldap/sbin/slapcat -n 0 – {PATH}/openldap/etc/openldap/slapd.d -l {PATH}/slapd.d.ldif {PATH}openldap/sbin/slapcat -b {BASE DN} -F {PATH}/openldap/etc/openldap/slapd.d -l {PATH}/config.ldif
Copy ldif
New Server mkdir {PATH}l/openldap/etc/openldap/slapd.d {PATH}openldap/sbin/slapadd -b {BASE_DN} -F {PATH}/openldap/etc/openldap/slapd.d -l {PATH}/config.ldif {PATH}openldap/sbin/slapadd -n 0 -F {PATH}/openldap/etc/openldap/slapd.d -l {PATH}/slapd.d.ldif
From: xpzhang1971@gmail.com xpzhang1971@gmail.com Sent: Friday, March 22, 2024 6:41 PM To: openldap-technical@openldap.org Subject: [EXTERNAL] how to migrate an openldap server to a new linux server
I have an openldap server I want to clone it to another linux server. However, I can't access it by login but can just run ldapsearch because this source openldap server only open port 389. Now I installed openldap-servers package to target
I have an openldap server I want to clone it to another linux server. However, I can't access it by login but can just run ldapsearch because this source openldap server only open port 389.
Now I installed openldap-servers package to target linux server, then what? I appreciate if anybody can instruct me or direct me to useful documents.
the problem here is that source openldap server only have port 389 opened, it is not accessible, not able to run slapcat.
Why is it not accessible? It sounds like that is the 1st problem you need to solve. You can add an ldapi to the startup.
From: xpzhang1971@gmail.com xpzhang1971@gmail.com Sent: Saturday, March 23, 2024 3:34 PM To: openldap-technical@openldap.org Subject: RE: [EXTERNAL] how to migrate an openldap server to a new linux server
the problem here is that source openldap server only have port 389 opened, it is not accessible, not able to run slapcat.
the problem here is that source openldap server only have port 389 opened, it is not accessible, not able to run slapcat.
Because port 22 is not open, I can't ssh or rlogin to the server. only can run ldapsearch such client commands. nmap to the server only see port 389 and 636 open. I don't know how the server owner maintain, startup/stop the server.
This is sounding pretty shady. It sounds like it isn’t your data.
From: xpzhang1971@gmail.com xpzhang1971@gmail.com Sent: Monday, March 25, 2024 11:51 AM To: openldap-technical@openldap.org Subject: RE: [EXTERNAL] how to migrate an openldap server to a new linux server
Because port 22 is not open, I can't ssh or rlogin to the server. only can run ldapsearch such client commands. nmap to the server only see port 389 and 636 open. I don't know how the server owner maintain, startup/stop the server.
Because port 22 is not open, I can't ssh or rlogin to the server. only can run ldapsearch such client commands.
nmap to the server only see port 389 and 636 open. I don't know how the server owner maintain, startup/stop the server.
In several organizations where I worked without root access, I requested sudo permissions for slapcat.
But to not have a shell, that makes life more difficult. Maybe you could get root to set up a cron to dump the extract using slapcat and deliver it somehow.
Chris Paul | https://www.rexconsulting.net
--On Monday, March 25, 2024 4:51 PM +0000 xpzhang1971@gmail.com wrote:
Because port 22 is not open, I can't ssh or rlogin to the server. only can run ldapsearch such client commands. nmap to the server only see port 389 and 636 open. I don't know how the server owner maintain, startup/stop the server.
The only way to get a known good backup of the server is to be able to log into the server so you can obtain not only the database, but also the slapd configuration. Since you lack access to this system, it sounds like you're not supposed to have that level of access.
--Quanah
Tech Folks, thanks for your replies. In real world, we often face such tasks to take over a thing that not belong to you, and you even only have limited access to that thing.
Is there a way figuring out configuration, schema, and etc from ldif files generated by ldapsearch from source server? then to configure a fresh target openldap server with those information to have the target server exactly same as source server?
Thanks!
--On Monday, March 25, 2024 6:42 PM +0000 xpzhang1971@gmail.com wrote:
Tech Folks, thanks for your replies. In real world, we often face such tasks to take over a thing that not belong to you, and you even only have limited access to that thing.
Is there a way figuring out configuration, schema, and etc from ldif files generated by ldapsearch from source server? then to configure a fresh target openldap server with those information to have the target server exactly same as source server?
You can query the cn=subschema entry for the server schema, but that doesn't mean all the schema returned is in use.
However, without having the server configuration (including what overlays, etc, are in use) you cannot reproduce the server functionality. IF it exposes the configuration via cn=config with ldapsearch, then you could get the configuration that way. Without the configuration, you could be missing critical pieces such as password policies, uniqueness constraints, etc. You also have no idea whether or not your "ldapsearch" output includes the full database or only a portion of the database (or even just portions of entries) since you have no idea what limitations via ACLs have been placed on your search.
Regards, Quanah
On 2024-03-25 10:42, xpzhang1971@gmail.com wrote:
Tech Folks, thanks for your replies.
There are too many unknowns for anyone to give you much help in creating a new LDAP instance. What OS? What version of OpenLDAP? Do you have full access to the directory data using LDAP, i.e. what credentials are you using and what ACLs are in place? Do you have a backup of the system?
In real world, we often face such tasks to take over a thing that not belong to you, and you even only have limited access to that thing.
Do you have physical access to the system? If the system is Linux and and you have access to the console it is a simple thing to reboot the system using init=/bin/bash, set the root password, and then reboot the system normally. Once you have root access you can do whatever you need, e.g. create user accounts, install ssh, etc. But, this really is just a normal system management task and not on topic for this distribution list.
Is there a way figuring out configuration, schema, and etc from ldif files generated by ldapsearch from source server? then to configure a fresh target openldap server with those information to have the target server exactly same as source server?
Once you can use slapcat everything gets easy. It would be best to gain root access to the system.
Bill
I gave a try like this way: I installed an openldap 2.6 as target server, started it up with initial slapd.ldif. Then I tried to ldapadd entries that exported from source server, but failed on the first entry, error message:
[root@ldap-ol8 openldap]# ldapadd -H ldap:/// -D "cn=admin,dc=example,dc=com" -W -f /tmp/test.ldif adding new entry "dc=example,dc=com" ldap_add: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax
the ldif file like: dn: dc=example,dc=com dc: example objectClass: top objectClass: domain objectClass: nisDomainObject nisDomain: example.com
What's wrong with objectClass??
--On Tuesday, March 26, 2024 11:57 PM +0000 xpzhang1971@gmail.com wrote:
I gave a try like this way: I installed an openldap 2.6 as target server, started it up with initial slapd.ldif. Then I tried to ldapadd entries that exported from source server, but failed on the first entry, error message:
the ldif file like: dn: dc=example,dc=com dc: example objectClass: top objectClass: domain objectClass: nisDomainObject nisDomain: example.com
What's wrong with objectClass??
You're missing the schema that defines it.
--Quanah
I did ldapsearch to export schema from source ldap server, cmd is: ldapsearch -x -LLL -H "ldap://xxx:389" -D "cn=admin,ou=AdminUsers,dc=example,dc=com" -W -b "cn=schema" -o ldif-wrap=no > source-schema.ldif
but ldapadd this ldif to target server still report: [root@phx-ldap-ol8 openldap]# ldapadd -H ldap:/// -D "cn=admin,dc=oracle,dc=com" -W -f /tmp/source-schema.ldif adding new entry "dc=example,dc=com" ldap_add: Object class violation (65) additional info: no objectClass attribute
How to get schema defined in target server??
--On Wednesday, March 27, 2024 1:07 AM +0000 xpzhang1971@gmail.com wrote:
I did ldapsearch to export schema from source ldap server, cmd is: ldapsearch -x -LLL -H "ldap://xxx:389" -D "cn=admin,ou=AdminUsers,dc=example,dc=com" -W -b "cn=schema" -o ldif-wrap=no > source-schema.ldif
but ldapadd this ldif to target server still report: [root@phx-ldap-ol8 openldap]# ldapadd -H ldap:/// -D "cn=admin,dc=oracle,dc=com" -W -f /tmp/source-schema.ldif adding new entry "dc=example,dc=com" ldap_add: Object class violation (65)
That will not give you schema usable for ldapadd.
--Quanah
openldap-technical@openldap.org
-
Bill MacAllister -
Bradley T Gill -
Christopher Paul -
Quanah Gibson-Mount -
xpzhang1971@gmail.com