Migration from OpenLDAP 2.3 to 2.4

Note: I wrote this post during Christmas break 2017, but it took me some time before I managed to give it a better form, verify the steps again and publish it. Hence some Xmas references in a text published during summer time.


Xmas break is, as usually, just about the right time to either play some really old-school RPG, or to finally get on with some “fun” tasks that you’d been postponing for as much as you could. This year, one such task on my plate was to finally get rid of an old Centos 5 machine with OpenLDAP server where I kept an address book and accounts of my mail server.

For some tasks, it’s never the right time. Like this upgrade of old Centos 5 machine with OpenLDAP 2.3 to Centos 7 and newer version of OpenLDAP, which already stores configuration information in separate files in /etc/openldap/slapd.d, instead of /etc/openldap/slapd.conf as it was the case before. So, despite me postponing this “fun” as much as I could, I finally had to upgrade this old machine of mine.

This is how I went about it. I had a brand new installation of Centos 7 where I installed the server and client packages as the first step:

yum install openldap-servers openldap-clients openldap

Next, I used slappasswd to generate a hashed copy of some generated password.

slappasswd

This tool will print the hashed password into standard output. I copy pasted it and used it in this step1.ldif file. Since it’s not recommended to edit OpenLDAP config files directly any more, ldif files are the way to perform config updates now. The below referenced step1.ldif file performs an update of ldap root password.

step1.ldif

vim step1.ldif
systemctl start slapd.service
ldapadd -Y EXTERNAL -H ldapi:/// -f step1.ldif

Having added root ldap password, I now created a new database based on a sample config file:

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG
systemctl restart slapd.service

and then added schemas that I was interested in:

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

That done, I could proceed to set up the same structure and data as it was the case on my old Centos 5 LDAP server, starting with creating manager role using this step2.ldif file (example.com used as an example domain here):

step2.ldif

vim step2.ldif
ldapmodify -Y EXTERNAL -H ldapi:/// -f step2.ldif

Now, with manager role added, I could add the structure of People organization using this step3.ldif file:

step3.ldif

vim step3.ldif
ldapadd -x -D cn=Manager,dc=example,dc=com -W -f step3.ldif

That was it as far as structure was concerned. Now I only had to import the actual data from an ldif dump coming from my old ldap server. The dump of people in database looked a bit like this skeleton file people.ldif (some data like password hashes was removed on purpose, this is just to give you an idea):

people.ldif

When I tried to import it, however, openldap wouldn’t import the data. I had to get rid of some fields that couldn’t be imported as they are generated anew:

cat people.ldif | grep -v "entryCSN\|entryUUID\|structuralObjectClass\|creatorsName\|createTimestamp\|modifiersName\|modifyTimestamp" > people_updated.ldif

With this new file people_updated.ldif, I was able to import my old data into new directory without any further issues:

people_updated.ldif

ldapadd -x -D cn=Manager,dc=example,dc=com -W -f people_updated.ldif

Verified by successfully performing a query against that new directory:

ldapsearch -h server_hostname_or_ip -D "cn=Manager,dc=example,dc=com" -W -b "uid=john,ou=People,dc=example,dc=com"

I home this might come handy to someone who gets stuck on such a “fun” task as I did.

 

Tagged with: , ,