Adding a new LDAP schema can already be tricky. Changing a LDAP schema on an existing server ressembles an operation at the living heart – especially if you’re using the new config backend at
cn=config. I’ll describe how I’ve interchanged the nis schema for the rfc2307bis schema.
The content however is old and might be outdated.
Since quite a long time I’ve been using openLDAP to store all my user accounts for mailserver, owncloud, seafile, … I not only store user accounts in the LDAP but also user groups, preferably as GroupOfNames objects. With my recent decision to drop owncloud for seafile and davical I’ve come to a problem. All my user groups are GroupOfNames, davical however can only work with the alternative posixGroups. Of course I could add another (posix)Group for groups I want to share dates and contacts with. But as those groups are the same I want to share files with I don’t like to do the work in double and want to use the existing GroupOfNames. With the nis schema active a group can either be a GroupOfNames or a posixGroup. By changing the nis schema for the rfc2307bis schema posixGroups will no longer be structural. So with that active a group can be both, a GroupOfNames AND a posix group. Problem solved.
However this migration won’t be easy.
- A complete backup image of your server. Just in case you need to do a recovery
- A schedule server downtime of at least one hour
- Stop your MTA (postfix) if your storing your mail users there. If you don’t it will reject all incoming mails as it can’t find the users in the database.
service stop postfix
- If you’re working with a lot of users or in a time critical business you might consider using a backup MX. That way a backup mailserver will catch the mails while your main server is down.
Stop the LDAP server, save and clean the LDAP data
The general idea is to take the data of the existing LDAP server, save them to file, make all changes in the file and reimport them into a fresh LDAP server.
Stop the LDAP server slapd:
Save config and user database to files.
slapcat -n0 > ~/ldap_schemachange/config.ldif slapcat -n1 > ~/ldap_schemachange/users.ldif
It might make sense to keep a copy of these files just in case you’ll need to recover.
Delete the existing LDAP database so we can start fresh after finishing the changes. Empty the folders
You should leave only one file:
/var/lib/ldap/DB_CONFIG and maybe
/var/lib/ldap/accesslog if applicable.
Or if you want to add another level of security just move those folders to another place:
mv /etc/ldap/slapd.d/* ~/ldap_old/ mv /var/lib/ldap/* ~/ldap_old/
Import rfc2307bis LDAP schema
Edit config.ldif, the file you’ve just exported from your LDAP. Delete the nis schema.Get the RFC2307bis schema eg from here: http://www.heinlein-support.de/blog/wp-content/uploads/2013/12/rfc2307bis.ldif_.txt. Copy the contents of this file to the place in config.ldif where you’ve just deleted the nis schema. Modify the first line to match the number of the nis schema, for me tis was
Import the finished config:
slapadd -F /etc/ldap/slapd.d -n0 -l config.ldif
Follow the reported errors to fix problems. I had to fix the index of memberUID for example
Fix your user database
Edit users.ldif. Wherever you used
structuralObjectClass=posixGroup replace it by
member=dn... for all groupObjects. Make sure to use the correct dn for your user however.
Add to LDAP
slapadd -F /etc/ldap/slapd.d -n 1 -l users.ldif
Cleanup and restart
Fix the rights for all directories you’ve played with:
chown -R openldap:openldap /etc/ldap/slapd.d chown -R openldap:openldap /var/lib/ldap
Then start the ldap server again. Watch the logfiles for any errors.
/etc/init.d slapd start
Finally start all services you’ve stopped in the beginning like dovecot, postfix, …