Change BaseDN in OpenLDAP

Question

I was trying to rename my OpenLDAP's baseDN

from:

dc=abc,dc=com

to:

dc=xyz,dc=edu

I did modify some conf files:

• /etc/ldap/slapd.d/cn\=config/olcDatabase={1}hdb.ldif

• /etc/ldapscripts/ldapscripts.conf

and the configuration of phpLDAPadmin:

• config.php

to the new root dn

But after I restarted the slapd and lighttpd services, even though I could login to the admin interface of phpLDAPAdmin (admin binddn), but I was not able to do anything.

I also tried to run some ldap command lines but it didn't work.

What else do I have to do? Or anything wrong with my method?

Answer 1

OK, I solved it myself. Here is how I migrated the current LDAP database to a new domain:

• Export the old LDAP database to ldif file.
• Delete the old databaes
• Create a new LDAP database with new domain name
• Modify the exported ldif file above to fit the new domain (the root dn)
• Import the modified ldif file into the new database

Assuming I have a new domain name, dc=my,dc=new,dc=ldap,dc=domain, and I want to move all of the existing LDAP data to the new one.

I did the following steps

1. Backup the old LDAP database

   # slapcat -v -l old_ldap.ldif
   

2. Stop the OpenLDAP server

   # service slapd stop
   

3. Delete old LDAP database

   # cd /var/lib/ldap
   # rm -rf *
   

4. Make sure LDAP is not running

   # nano /var/lib/ldap/DB_CONFIG
   

   NOTE: add these following lines and save

   #DB_CONFIG
   set_cachesize           0 150000000 1
   set_lg_regionmax        262144
   set_lg_bsize            2097152
   set_flags               DB_LOG_AUTOREMOVE
   

5. Change the current LDAP settings in the following files

   • /etc/ldapscripts/ldapscripts.conf

     ...
     SERVER="ldap://localhost"
     BINDDN="cn=admin,dc=my,dc=new,dc=ldap,dc=domain"
     BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
     ...
     

   • /etc/ldap/slapd.d/cn=config/olcDatabase\={1}hdb.ldif

     ...
     olcSuffix: dc=my,dc=new,dc=ldap,dc=domain
     olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=my,dc=new,dc=ldap,dc=domain" write by * none
     olcAccess: {2}to * by self write by dn="cn=admin,dc=my,dc=new,dc=ldap,dc=domain" write by * read
     olcRootDN: cn=admin,dc=my,dc=new,dc=ldap,dc=domain
     olcRootPW: <new administrator password>
     ...
     

6. Prepare the new LDAP Directory structure, data, new_ldap.ldif, (or modify the old_ldap.ldif with the new dn)

   # Root
   dn:                    dc=my,dc=new,dc=ldap,dc=domain
   description:           New LDAP BaseDN
   dc:                    parent
   o:                     parent.my.new.ldap.domain
   objectClass:           top
   objectClass:           dcObject
   objectClass:           organization
   structuralObjectClass: organization
   
   # administrator
   dn:                    cn=admin,dc=my,dc=new,dc=ldap,dc=domain
   objectClass:           simpleSecurityObject
   objectClass:           organizationalRole
   cn:                    admin
   description:           LDAP administrator
   userPassword:          <new administrator password>
   structuralObjectClass: organizationalRole
   
   # Subtree for Users
   dn:                    ou=Users,dc=my,dc=new,dc=ldap,dc=domain
   ou:                    Users
   description:           Parent Ldap Users
   objectClass:           organizationalUnit
   objectClass:           top
   structuralObjectClass: organizationalUnit
   
   # Subtree for Groups
   dn:                    ou=Groups,dc=my,dc=new,dc=ldap,dc=domain
   ou:                    Groups
   description:           Parent LDAP Groups
   objectClass:           organizationalUnit
   objectClass:           top
   structuralObjectClass: organizationalUnit
   ...
   

7. Test the new ldif

   # slapadd -b "dc=my,dc=new,dc=ldap,dc=domain" -v -u -l new_ldap.ldif 
   

   NOTE: the -u means run the command in test mode

If everything's OK, the output will look something like:

    added: "dc=my,dc=new,dc=ldap,dc=domain"
    added: "cn=admin,dc=my,dc=new,dc=ldap,dc=domain"
    added: "ou=Users,dc=my,dc=new,dc=ldap,dc=domain"
    added: "ou=Groups,dc=my,dc=new,dc=ldap,dc=domain"
    _#################### 100.00% eta   none elapsed            none fast! 

8. Add the new LDAP data to the server

   # slapadd -b "dc=my,dc=new,dc=ldap,dc=domain" -v -l new_ldap.ldif
   

You can check for updates in my blog post about this issue: http://iambusychangingtheworld.blogspot.com/2013/10/ldap-create-new-ldap-directory.html

Answer 2

Very useful guide! For future reference, I found that: After modification of point 5b, the test (as described in point 7), will report a failing crc32 value (the checksum is located on line 2 of that same file);

Edit 06/2/2018: As per suggestion of PF4Public, You might be able to remove those lines as a whole.

In any other case: And you will have to generate a new crc32 (I am using Debian Jessy, your path might be different)

Fast route:

tail -n +3 /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}mdb.ldif

and pasting the result inside an online crc32 calculator. The calculated crc32 value replaces the old value of located on line 2 of the mdb.ldif.

The slow/thorough route is described here: https://gist.github.com/Shaltz/1d65a07a0901a36fb7f1

After adding the new_ldap.ldif make sure the openldap user has rights on the generated database.

chown -R openldap:openldap /var/lib/ldap