We use 389 LDAP + sssd to handle logins on our research computing cluster at ILRI; users and groups live in 389 and the computing and storage nodes authenticate and do uid/gid lookups using sssd. It’s a really nice setup and Red Hat has done a great job making sure the whole stack works well together. Backing up a running 389 LDAP instance, however, is not obvious (to me at least).

Obviously (to me at least) you can’t just copy the data directories, as there’s no way to guarantee a consistent copy if the server is running. There are several scripts for this purpose which are packaged with 389, but it’s a bit confusing how to use them. For example, there are both bash and perl versions of the database backup tool (db2bak and db2bak.pl, respectively). I eventually learned that the bash one is for offline backups, while the perl one is for online backups.

In any case, I’m not an LDAP admin, so I don’t know the ins and outs of all this stuff; I just wanted to have a backup in case (fire|lion|nelson|dog)!

389_backup.sh

Luckily, I found this gem on the 389 mailing list and it does the job, 389_backup.sh:

#!/usr/bin/env bash

# Backup each instance
for dirsrv in /etc/dirsrv/slapd-*
do
   name=${dirsrv/*slapd-/}
   vardir=/var/lib/dirsrv/slapd-${name}
   [ -d /var/lib/dirsrv/scripts-${name} ] && scriptdir=/var/lib/dirsrv/scripts-${name}
   [ -d /usr/lib64/dirsrv/slapd-${name} ] && scriptdir=/usr/lib64/dirsrv/slapd-${name}
   [ -d /usr/lib/dirsrv/slapd-${name} ] && scriptdir=/usr/lib/dirsrv/slapd-${name}

   ${scriptdir}/db2bak.pl -D 'cn=Directory Manager' -w 'I<3Pizza' -a ${vardir}/bak/${name}-`date +%Y_%m_%d_%H_%M_%S` > /dev/null
   /usr/sbin/tmpwatch -mM 240 ${vardir}/bak

   dbdir=${vardir}/db
   for dbentry in ${dbdir}/*
   do
      if [ -d ${dbentry} ]
      then
         dbname=$(basename ${dbentry})
         ${scriptdir}/db2ldif -n ${dbname} > /dev/null
      fi
   done
   /usr/sbin/tmpwatch -mM 240 ${vardir}/ldif
done

As you can see it uses the perl version of the backup tool, so it can be used while the LDAP server is up and running.

Success

After running this once a day in root’s crontab for awhile, I have the following:

# ls -l /var/lib/dirsrv/slapd-mjanja/bak/
total 44
drwx------. 4 nobody nobody 4096 Aug 25 18:00 mjanja-2013_08_25_18_00_01
drwx------. 4 nobody nobody 4096 Aug 26 18:00 mjanja-2013_08_26_18_00_01
drwx------. 4 nobody nobody 4096 Aug 27 18:00 mjanja-2013_08_27_18_00_01
drwx------. 4 nobody nobody 4096 Aug 28 18:00 mjanja-2013_08_28_18_00_01
drwx------. 4 nobody nobody 4096 Aug 29 18:00 mjanja-2013_08_29_18_00_01
drwx------. 4 nobody nobody 4096 Aug 30 18:00 mjanja-2013_08_30_18_00_01
drwx------. 4 nobody nobody 4096 Aug 31 18:00 mjanja-2013_08_31_18_00_01
drwx------. 4 nobody nobody 4096 Sep  1 18:00 mjanja-2013_09_01_18_00_01
drwx------. 4 nobody nobody 4096 Sep  2 18:00 mjanja-2013_09_02_18_00_01
drwx------. 4 nobody nobody 4096 Sep  3 18:00 mjanja-2013_09_03_18_00_01
drwx------. 4 nobody nobody 4096 Sep  4 18:00 mjanja-2013_09_04_18_00_01

The script will automatically remove old entries after 10 days (“240 hours”, in the script above).