Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Change BaseDN in OpenLDAP

I was trying to rename my OpenLDAP's baseDN

from:

dc=abc,dc=com

to:

dc=xyz,dc=edu

I did modify some conf files:

  • /etc/ldap/slapd.d/cn\=config/olcDatabase={1}hdb.ldif

  • /etc/ldapscripts/ldapscripts.conf

and the configuration of phpLDAPadmin:

  • config.php

to the new root dn

But after I restarted the slapd and lighttpd services, even though I could login to the admin interface of phpLDAPAdmin (admin binddn), but I was not able to do anything.

I also tried to run some ldap command lines but it didn't work.

What else do I have to do? Or anything wrong with my method?

like image 965
Trinh Nguyen Avatar asked Oct 23 '13 09:10

Trinh Nguyen


People also ask

How do I change my LDAP entry?

Steps. Use the ldapsearch tool to locate a specific entry. Use the ldapmodify command to change attributes from the command line. Specify the modification using the changetype:modify directive, and then specify which attributes are to be changes using the add and replace directive.

How do I change my Ldapmodify password?

ldapmodify -H ldap:// -x -D " cn=admin,dc=example,dc=com " -W -f ~/newpasswd. ldif. You will be prompted for the new password you set in the config DIT. Once authenticated, the password will be changed, leaving only the new password for authentication purposes.


2 Answers

OK, I solved it myself. Here is how I migrated the current LDAP database to a new domain:

  • Export the old LDAP database to ldif file.
  • Delete the old databaes
  • Create a new LDAP database with new domain name
  • Modify the exported ldif file above to fit the new domain (the root dn)
  • Import the modified ldif file into the new database

Assuming I have a new domain name, dc=my,dc=new,dc=ldap,dc=domain, and I want to move all of the existing LDAP data to the new one.

I did the following steps

  1. Backup the old LDAP database

    # slapcat -v -l old_ldap.ldif
    
  2. Stop the OpenLDAP server

    # service slapd stop
    
  3. Delete old LDAP database

    # cd /var/lib/ldap
    # rm -rf *
    
  4. Make sure LDAP is not running

    # nano /var/lib/ldap/DB_CONFIG
    

    NOTE: add these following lines and save

    #DB_CONFIG
    set_cachesize           0 150000000 1
    set_lg_regionmax        262144
    set_lg_bsize            2097152
    set_flags               DB_LOG_AUTOREMOVE
    
  5. Change the current LDAP settings in the following files

    • /etc/ldapscripts/ldapscripts.conf

      ...
      SERVER="ldap://localhost"
      BINDDN="cn=admin,dc=my,dc=new,dc=ldap,dc=domain"
      BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
      ...
      
    • /etc/ldap/slapd.d/cn=config/olcDatabase\={1}hdb.ldif

      ...
      olcSuffix: dc=my,dc=new,dc=ldap,dc=domain
      olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=my,dc=new,dc=ldap,dc=domain" write by * none
      olcAccess: {2}to * by self write by dn="cn=admin,dc=my,dc=new,dc=ldap,dc=domain" write by * read
      olcRootDN: cn=admin,dc=my,dc=new,dc=ldap,dc=domain
      olcRootPW: <new administrator password>
      ...
      
  6. Prepare the new LDAP Directory structure, data, new_ldap.ldif, (or modify the old_ldap.ldif with the new dn)

    # Root
    dn:                    dc=my,dc=new,dc=ldap,dc=domain
    description:           New LDAP BaseDN
    dc:                    parent
    o:                     parent.my.new.ldap.domain
    objectClass:           top
    objectClass:           dcObject
    objectClass:           organization
    structuralObjectClass: organization
    
    # administrator
    dn:                    cn=admin,dc=my,dc=new,dc=ldap,dc=domain
    objectClass:           simpleSecurityObject
    objectClass:           organizationalRole
    cn:                    admin
    description:           LDAP administrator
    userPassword:          <new administrator password>
    structuralObjectClass: organizationalRole
    
    # Subtree for Users
    dn:                    ou=Users,dc=my,dc=new,dc=ldap,dc=domain
    ou:                    Users
    description:           Parent Ldap Users
    objectClass:           organizationalUnit
    objectClass:           top
    structuralObjectClass: organizationalUnit
    
    # Subtree for Groups
    dn:                    ou=Groups,dc=my,dc=new,dc=ldap,dc=domain
    ou:                    Groups
    description:           Parent LDAP Groups
    objectClass:           organizationalUnit
    objectClass:           top
    structuralObjectClass: organizationalUnit
    ...
    
  7. Test the new ldif

    # slapadd -b "dc=my,dc=new,dc=ldap,dc=domain" -v -u -l new_ldap.ldif 
    

    NOTE: the -u means run the command in test mode

If everything's OK, the output will look something like:

    added: "dc=my,dc=new,dc=ldap,dc=domain"
    added: "cn=admin,dc=my,dc=new,dc=ldap,dc=domain"
    added: "ou=Users,dc=my,dc=new,dc=ldap,dc=domain"
    added: "ou=Groups,dc=my,dc=new,dc=ldap,dc=domain"
    _#################### 100.00% eta   none elapsed            none fast! 
  1. Add the new LDAP data to the server

    # slapadd -b "dc=my,dc=new,dc=ldap,dc=domain" -v -l new_ldap.ldif
    

You can check for updates in my blog post about this issue: http://iambusychangingtheworld.blogspot.com/2013/10/ldap-create-new-ldap-directory.html

like image 92
Trinh Nguyen Avatar answered Oct 22 '22 08:10

Trinh Nguyen


Very useful guide! For future reference, I found that: After modification of point 5b, the test (as described in point 7), will report a failing crc32 value (the checksum is located on line 2 of that same file);

Edit 06/2/2018: As per suggestion of PF4Public, You might be able to remove those lines as a whole.

In any other case: And you will have to generate a new crc32 (I am using Debian Jessy, your path might be different)

Fast route:

tail -n +3 /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}mdb.ldif

and pasting the result inside an online crc32 calculator. The calculated crc32 value replaces the old value of located on line 2 of the mdb.ldif.

The slow/thorough route is described here: https://gist.github.com/Shaltz/1d65a07a0901a36fb7f1

After adding the new_ldap.ldif make sure the openldap user has rights on the generated database.

chown -R openldap:openldap /var/lib/ldap
like image 33
R.J. Avatar answered Oct 22 '22 09:10

R.J.