- Special Backup Concerns for Open Directory
- Backing Up Open Directory and Everything Else on a Server
- Master and Replica Servers
- Backing Up and Restoring Directory Data Manually
Backing Up and Restoring Directory Data Manually
If you want to back up just the directory data of an LDAP master instead of cloning the entire drive, you should back up the domain database, the required configuration files, and the Open Directory Password Server database. You should also make copies of all these items at one time and with as little elapsed time between each item to ensure that the data from all three remain as in sync with each other as possible.
You can back up LDAP data while the domain is in active use (although to absolutely ensure consistency in your backup, you might want to stop the slapd service first). You cannot do a restore while the domain is in active use, however. You need to perform this process as root because only the root user has full access the requisite data. To stop the slapd service (and active use of the domain) before proceeding, use the following command:
- First, use the Unix slapcat command as follows to create a raw text dump of
all directory information (with the exception of data stored by the Open
Directory Password Server). Use the command as follows (you can substitute a
filename other than backup and can include a full path to a specific
backup location, although you have to include the. ldif extension):
slapcat –l backup.ldif
- Copy the LDAP configuration files (which are contained in the /etc/openldap directory on the server’s startup volume) and the host configuration file located at /etc/hostconfig.
- Copy the /Library/Preferences/DirectoryService folder, which contains information about Open Directory binding for the server (including binding to its own directory). If your server uses SSL support for LDAP, also copy your security certificate and private key files.
- Create a directory to store the backup of the Open Directory Password Server database.
- Use the mkpassdb command to create a backup of the database in the folder
you created for it, as follows:
mkpassdb -backupdb <path to folder>
- Create a directory to store the backup of your Kerberos realm database.
- Use the kdb5_util tool to create a backup dump of your Kerberos data in the
kdb5_util dump > <path to folder>/kbd5dump.bak
- To restore LDAP directory domain data, first stop the slapd service, as described earlier. Then, copy the configuration and host configuration files to the appropriate location. Do the same with the security certificate and private key files, if you backed these up as well.
- Use the Unix slapadd command to restore the domain data from the raw text
dump (if you changed the name from backup, substitute the appropriate
name and/or file path):
slapadd -c –l backup.ldif
- Use the mspassdb command to restore the Open Directory Password Server
Mkpassdb –mergedb <path to folder>
- Use the kdb5_util tool to restore your Kerberos realm data:
kdb5_util load <path to folder>/kbd5dump.bak
- Restart the server and then start the LDAP service (if it does not restart
automatically). You will have stopped the server before attempting the restore
process. You can restart the LDAP service by using the following Unix