Change location where LDAP data is stored
I used to move the default database of openldap after each new setup.
The steps I do when I want to move a database :
- Stop
slapd
sudo service slapd stop
-
slapcatthe content of thecn=configbranch in a LDIF file
sudo slapcat -b cn=config > /tmp/config.ldif
- Copy the
/var/lib/ldapdirectory wherever you want it - Make sure the user
openldapowns the new directory and all the files inside - Edit the previously exported LDIF to modify the
olcDbDirectoryto the new location - Import the LDIF (Make sure the
/etc/ldap/slapd.dis empty before doing this)
sudo rm -r /etc/ldap/slapd.d/*
sudo slapadd -F /etc/ldap/slapd.d -b cn=config -l /tmp/config.ldif
- Make sure the
/etc/ldap/slapd.dand all its content is owned byopenldap
sudo chown -R openldap:openldap /etc/ldap/slapd.d/
- Edit needed configuration to allow Slapd to use this new database directory
For example, with apparmor, edit the file /etc/apparmor.d/usr.sbin.slapd and add the following lines:
/path/to/new/db/ r,
/path/to/new/db/** rwk,
- Restart apparmor and slapd
sudo service apparmor restart
sudo service slapd start
Usually it does the trick. It's also how I backup the configuration of my openldap instances.
I read your question in two parts:
- You want to have the OS be read-only while preserving write access to the LDAP data
- As a solution for #1, you propose storing the LDAP data in a location other than
/var/lib/ldap
While I suspect #2 is possible, I don't have enough direct experience with OpenLDAP to address that directly. What I can do is suggest an alternative solution for #1. It's trivial to mount a difference disk partion at /var/lib/ldap, both through the mount command and through fstab. This should effectively accomplish your goal, whether or not OpenLDAP handles this natively. You might also be able to replace the /var/lib/ldap folder with a symlink to the desired location. Again, this bypasses OpenLDAP and any support that is or is not built into that project.
Finally, you should also think about preserving write access for certain log areas. The techniques in the paragraph above can work for moving log file locations, too.
I've done this successfully and used it in AWS to retain my data when I have to refresh the machine image. If you've rebuilt OpenLDAP with the
slaptest -f slapd.conf -F slapd.d
command (yes, we're still using the old way of config, but running it with slapd.d —I'm working on it)
then really all you have to do is modify the directory location in the database configuration section of slapd.conf
directory /data/ldap
Create the DB_CONFIG file (chown to ldap:ldap) in /data/ldap because LDAP will yell if it's not there.
Once you run the slaptest command (slaptest -f slapd.conf -F slapd.d), your DB will be created there.
You'll probably need to chown -R ldap:ldap /data and /etc/openldap once you're done with the slaptest commmand.
If this is successful your DB or DBs will be located in /data/ldap
Save your slapd.conf file on your external partition so you can import it back when you set up another server.
When you need to spin up another server, import the slapd.conf file and run the slaptest command. You'll have to chown -R ldap:ldap to /data and /etc/openldap again, but when you start openldap, it should pick up the DBs on the external partition.
This is a solution in flux right now, but it's serving us well in standing up OpenLDAP in the cloud. We will obviously streamline this awkward process. We'll script all the things, maybe move /etc/openldap to a symlinked external drive, and modify the slapd.d with ldifs only instead of relying on the deprecated slapd.conf, but for now it's working fine.