6.2. Exporting Data
LDAP Data Interchange Format (LDIF) files are used to export database entries from the Directory Server databases. LDIF is a standard format described in RFC 2849.
Note
The export operations do not export the configuration information (
cn=config), schema information (cn=schema), or monitoring information (cn=monitor).
Exporting data can be useful for the following:
- Backing up the data in the database.
- Copying data to another Directory Server.
- Exporting data to another application.
- Repopulating databases after a change to the directory topology.For example, if a directory contains one database, and its contents should be split into two databases, then the two new databases receive their data by exporting the contents of the old databases and importing it into the two new databases, as illustrated in Figure 6.1, “Splitting a Database Contents into Two Databases”.
Figure 6.1. Splitting a Database Contents into Two Databases
Warning
Do not stop the server during an export operation.
Directory Server runs the export operations as the
dirsrv user. Therefore, the permissions of the destination directory must allow this user to write the file.
6.2.1. Exporting Data into an LDIF File Using the Command Line
Directory Server supports exporting data while the instance is running or while the instance is offline:
- Use one of the following methods if the instance is running:
- Use the
dsconf backend exportcommand. See Section 6.2.1.1.1, “Exporting a Databases Using thedsconf backend exportCommand”. - Create a
cn=tasksentry. See Section 6.2.1.1.2, “Exporting a Database Using acn=tasksEntry”.
- If the instance is offline, use the
dsctl db2ldifcommand. See Section 6.2.1.2, “Exporting a Database While the Server is Offline”.
Important
Do not export LDIF files to the
/tmp or /var/tmp/ directories because of the following reasons:
- Directory Server uses
PrivateTmpfeature ofsystemdby default. If you place LDIF files into the/tmpor/var/tmp/system directory, Directory Server does not see these LDIF files during import. For more information aboutPrivateTmp, seesystemd.exec(5)man page. - LDIF files often contain sensitive data, such as user passwords. Therefore, you must not use temporary system directories to store these files.
6.2.1.1. Exporting a Database While the Server is Running
6.2.1.1.1. Exporting a Databases Using the dsconf backend export Command
Use the
dsconf backend export command to automatically create a task that exports data to an LDIF file.
For example, to export the
userRoot database:
# dsconf -D "cn=Directory Manager" ldap://server.example.com backend export userRoot The export task has finished successfully
By default,
dsconf stores the export in a file called instance_name_database_name-time_stamp.ldif in the /var/lib/dirsrv/slapd-instance_name/export/ directory. Alternatively, add the -l file_name option to the command to specify a different location.
The
dsconf backend export command supports additional options, for example, to exclude a specific suffix. To display all available options, enter:
# dsconf ldap://server.example.com backend export --help
6.2.1.1.2. Exporting a Database Using a cn=tasks Entry
The
cn=tasks,cn=config entry in the Directory Server configuration is a container entry for temporary entries the server uses to manage tasks. To initiate an export operation, create a task in the cn=export,cn=tasks,cn=config entry.
Using a task entry enables you to export data while the server is running.
An export task entry requires the following attributes:
cn: Sets the unique name of the task.nsInstance: Sets the name of the database to export.nsFilename: Sets the name of the file into which the export should be stored.
Export tasks support additional parameters, for example, to exclude suffixes. For a complete list, see the cn=export section in the Red Hat Directory Server Configuration, Command, and File Reference.
For example, to add a task that exports the content of the
userRoot database into the /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif file:
# ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x dn: cn=example_export,cn=export,cn=tasks,cn=config changetype: add objectclass: extensibleObject cn: example_export nsInstance: userRoot nsFilename: /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif
When the task is completed, the entry is removed from the directory configuration.
6.2.1.2. Exporting a Database While the Server is Offline
If the server is offline when you export data, use the
dsctl db2ldif command:
- Stop the instance:
# dsctl instance_name stop
- Export the database into an LDIF file. For example to export the
userRootdatabase into the/var/lib/dirsrv/slapd-instance_name/ldif/example.ldiffile:# dsctl instance_name db2ldif userroot /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif OK group dirsrv exists OK user dirsrv exists ldiffile: /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif [18/Jul/2018:10:46:03.353656777 +0200] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [18/Jul/2018:10:46:03.383101305 +0200] - INFO - ldbm_back_ldbm2ldif - export userroot: Processed 160 entries (100%). [18/Jul/2018:10:46:03.391553963 +0200] - INFO - dblayer_pre_close - All database threads now stopped db2ldif successful - Start the instance:
# dsctl instance_name start
6.2.2. Exporting a Suffix to an LDIF File Using the Web Console
To export a suffix using the web console:
- Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
- Select the instance.
- Open the menu.
- Select the suffix entry.
- Click , and select Export Suffix.
- Enter the name of the LDIF file in which you want to store the export. Directory Server will store the file in the
/var/lib/dirsrv/slapd-instance_name/ldif/directory using the specified file name.
- Click .
6.2.3. Enabling Members of a Group to Export Data and Performing the Export as One of the Group Members
You can configure that members of a group have permissions to export data. This increases the security because you no longer need to set the credentials of
cn=Directory Manager in your scripts. Additionally, you can easily grant and revoke the export permissions by modifying the group.
6.2.3.1. Enabling a Group to Export Data
Use this procedure to add the
cn=export_users,ou=groups,dc=example,dc=com group and enable members of this group to create export tasks.
Procedure
- Create the
cn=export_users,ou=groups,dc=example,dc=comgroup:# dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" group create --cn export_users
- Add access control instructions (ACI) that allows members of the
cn=export_users,ou=groups,dc=example,dc=comgroup to create export tasks:# ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com dn: cn=config changetype: modify add: aci aci: (target = "ldap:///cn=export,cn=tasks,cn=config")(targetattr="*") (version 3.0 ; acl "permission: Allow export_users group to export data" ; allow (add, read, search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";) - add: aci aci: (target = "ldap:///cn=config")(targetattr = "objectclass || cn || nsslapd-suffix || nsslapd-ldifdir") (version 3.0 ; acl "permission: Allow export_users group to access ldifdir attribute" ; allow (read,search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";)
- Create a user:
- Create a user account:
# dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" user create --uid="example" --cn="example" --uidNumber="1000" --gidNumber="1000" --homeDirectory="/home/example/" --displayName="Example User"
- Set a password on the user account:
# dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" account reset_password "uid=example,ou=People,dc=example,dc=com" "password"
- Add the
uid=example,ou=People,dc=example,dc=comuser to thecn=export_users,ou=groups,dc=example,dc=comgroup:# dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" group add_member export_users uid=example,ou=People,dc=example,dc=com
Verification
- Display the ACIs set on the
cn=config:# ldapsearch -o ldif-wrap=no -LLLx -D "cn=Directory Manager" -W -H ldap://server.example.com -b cn=config aci=* aci -s base dn: cn=config aci: (target = "ldap:///cn=export,cn=tasks,cn=config")(targetattr="*")(version 3.0 ; acl "permission: Allow export_users group to export data" ; allow (add, read, search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";) aci: (target = "ldap:///cn=config")(targetattr = "objectclass || cn || nsslapd-suffix || nsslapd-ldifdir")(version 3.0 ; acl "permission: Allow export_users group to access ldifdir attribute" ; allow (read,search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";) ...
6.2.3.2. Performing an Export as a Regular User
You can perform exports as a regular user instead of
cn=Directory Manager.
Prerequisites
- You enabled members of the
cn=export_users,ou=groups,dc=example,dc=comgroup to export data. See Section 6.2.3.1, “Enabling a Group to Export Data”. - The user you use to perform the export is a member of the
cn=export_users,ou=groups,dc=example,dc=comgroup.
Procedure
- Create a export task using one of the following methods:
- Using the
dsconf backend exportcommand:# dsconf -D "uid=example,ou=People,dc=example,dc=com" ldap://server.example.com backend export userRoot
- By manually creating the task:
# ldapadd -D "uid=example,ou=People,dc=example,dc=com" -W -H ldap://server.example.com dn: cn=userRoot-2021_07_23_12:55_00,cn=export,cn=tasks,cn=config changetype: add objectClass: extensibleObject nsFilename: /var/lib/dirsrv/slapd-instance_name/ldif/None-userroot-2021_07_23_12:55_00.ldif nsInstance: userRoot cn: export-2021_07_23_12:55_00
Verification
- Verify that the backup was created:
# ls -l /var/lib/dirsrv/slapd-instance_name/ldif/*.ldif total 0 -rw-------. 1 dirsrv dirsrv 10306 Jul 23 12:55 None-userroot-2021_07_23_12_55_00.ldif ...
