LDAP schema change on existing server

Adding a new LDAP schema can already be tricky. Changing a LDAP schema on an existing server ressembles an operation at the living heart – especially if you’re using the new config backend at cn=config. I’ll describe how I’ve interchanged the nis schema for the rfc2307bis schema.

This is a post from my old blog http://tech.cbjck.de. It has been moved here and slightly edited for better readability. It's also been adjusted to the new layout.
The content however is old and might be outdated.

Since quite a long time I’ve been using openLDAP to store all my user accounts for mailserver, owncloud, seafile, … I not only store user accounts in the LDAP but also user groups, preferably as GroupOfNames objects. With my recent decision to drop owncloud for seafile and davical I’ve come to a problem. All my user groups are GroupOfNames, davical however can only work with the alternative posixGroups. Of course I could add another (posix)Group for groups I want to share dates and contacts with. But as those groups are the same I want to share files with I don’t like to do the work in double and want to use the existing GroupOfNames. With the nis schema active a group can either be a GroupOfNames or a posixGroup. By changing the nis schema for the rfc2307bis schema posixGroups will no longer be structural. So with that active a group can be both, a GroupOfNames AND a posix group. Problem solved.
However this migration won’t be easy.


  • A complete backup image of your server. Just in case you need to do a recovery
  • A schedule server downtime of at least one hour
  • Stop your MTA (postfix) if your storing your mail users there. If you don’t it will reject all incoming mails as it can’t find the users in the database.
    service stop postfix
  • If you’re working with a lot of users or in a time critical business you might consider using a backup MX. That way a backup mailserver will catch the mails while your main server is down.

Stop the LDAP server, save and clean the LDAP data

The general idea is to take the data of the existing LDAP server, save them to file, make all changes in the file and reimport them into a fresh LDAP server.
Stop the LDAP server slapd:

/etc/init.d/slapd stop

Save config and user database to files.

slapcat -n0 > ~/ldap_schemachange/config.ldif
slapcat -n1 > ~/ldap_schemachange/users.ldif

It might make sense to keep a copy of these files just in case you’ll need to recover.

Delete the existing LDAP database so we can start fresh after finishing the changes. Empty the folders /etc/ldap/slapd.d/ and /var/lib/ldap/
You should leave only one file: /var/lib/ldap/DB_CONFIG and maybe /var/lib/ldap/accesslog if applicable.
Or if you want to add another level of security just move those folders to another place:

mv /etc/ldap/slapd.d/* ~/ldap_old/
mv /var/lib/ldap/* ~/ldap_old/

Import rfc2307bis LDAP schema

Edit config.ldif, the file you’ve just exported from your LDAP. Delete the nis schema.Get the RFC2307bis schema eg from here: http://www.heinlein-support.de/blog/wp-content/uploads/2013/12/rfc2307bis.ldif_.txt. Copy the contents of this file to the place in config.ldif where you’ve just deleted the nis schema. Modify the first line to match the number of the nis schema, for me tis was

dn: cn={2}rfc2307bis,cn=schema,cn=config

Import the finished config:

slapadd -F /etc/ldap/slapd.d -n0 -l config.ldif

Follow the reported errors to fix problems. I had to fix the index of memberUID for example

Fix your user database

Edit users.ldif. Wherever you used structuralObjectClass=posixGroup replace it by objectClass=groupOfNames. Add member=dn... for all groupObjects. Make sure to use the correct dn for your user however.
Add to LDAP

slapadd -F /etc/ldap/slapd.d -n 1 -l users.ldif

Cleanup and restart

Fix the rights for all directories you’ve played with:

chown -R openldap:openldap /etc/ldap/slapd.d
chown -R openldap:openldap /var/lib/ldap

Then start the ldap server again. Watch the logfiles for any errors.

/etc/init.d slapd start

Finally start all services you’ve stopped in the beginning like dovecot, postfix, …


Leave a Reply

Your email address will not be published.