Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

6.2. Exporting Data

LDAP Data Interchange Format (LDIF) files are used to export database entries from the Directory Server databases. LDIF is a standard format described in RFC 2849.

Note

The export operations do not export the configuration information (cn=config), schema information (cn=schema), or monitoring information (cn=monitor).
Exporting data can be useful for the following:
  • Backing up the data in the database.
  • Copying data to another Directory Server.
  • Exporting data to another application.
  • Repopulating databases after a change to the directory topology.
    For example, if a directory contains one database, and its contents should be split into two databases, then the two new databases receive their data by exporting the contents of the old databases and importing it into the two new databases, as illustrated in Figure 6.1, “Splitting a Database Contents into Two Databases”.
    Splitting a Database Contents into Two Databases
    View larger image
    Splitting a Database Contents into Two Databases

    Figure 6.1. Splitting a Database Contents into Two Databases

Warning

Do not stop the server during an export operation.
Directory Server runs the export operations as the dirsrv user. Therefore, the permissions of the destination directory must allow this user to write the file.
Directory Server supports exporting data while the instance is running or while the instance is offline:

Important

Do not export LDIF files to the /tmp or /var/tmp/ directories because of the following reasons:
  • Directory Server uses PrivateTmp feature of systemd by default. If you place LDIF files into the /tmp or /var/tmp/ system directory, Directory Server does not see these LDIF files during import. For more information about PrivateTmp, see systemd.exec(5) man page.
  • LDIF files often contain sensitive data, such as user passwords. Therefore, you must not use temporary system directories to store these files.
Use the dsconf backend export command to automatically create a task that exports data to an LDIF file.
For example, to export the userRoot database: 
# dsconf -D "cn=Directory Manager" ldap://server.example.com backend export userRoot
The export task has finished successfully
Copy to Clipboard Toggle word wrap
By default, dsconf stores the export in a file called instance_name_database_name-time_stamp.ldif in the /var/lib/dirsrv/slapd-instance_name/export/ directory. Alternatively, add the -l file_name option to the command to specify a different location.
The dsconf backend export command supports additional options, for example, to exclude a specific suffix. To display all available options, enter: 
# dsconf ldap://server.example.com backend export --help
Copy to Clipboard Toggle word wrap
The cn=tasks,cn=config entry in the Directory Server configuration is a container entry for temporary entries the server uses to manage tasks. To initiate an export operation, create a task in the cn=export,cn=tasks,cn=config entry.
Using a task entry enables you to export data while the server is running.
An export task entry requires the following attributes:
  • cn: Sets the unique name of the task.
  • nsInstance: Sets the name of the database to export.
  • nsFilename: Sets the name of the file into which the export should be stored.
Export tasks support additional parameters, for example, to exclude suffixes. For a complete list, see the cn=export section in the Red Hat Directory Server Configuration, Command, and File Reference.
For example, to add a task that exports the content of the userRoot database into the /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif file: 
# ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x

dn: cn=example_export,cn=export,cn=tasks,cn=config
changetype: add
objectclass: extensibleObject
cn: example_export
nsInstance: userRoot
nsFilename: /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif
Copy to Clipboard Toggle word wrap
When the task is completed, the entry is removed from the directory configuration.
If the server is offline when you export data, use the dsctl db2ldif command:
  1. Stop the instance: 
    # dsctl instance_name stop
    Copy to Clipboard Toggle word wrap
  2. Export the database into an LDIF file. For example to export the userRoot database into the /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif file: 
    # dsctl instance_name db2ldif userroot /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif 
OK group dirsrv exists
OK user dirsrv exists
ldiffile: /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif
[18/Jul/2018:10:46:03.353656777 +0200] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[18/Jul/2018:10:46:03.383101305 +0200] - INFO - ldbm_back_ldbm2ldif - export userroot: Processed 160 entries (100%).
[18/Jul/2018:10:46:03.391553963 +0200] - INFO - dblayer_pre_close - All database threads now stopped
db2ldif successful
    Copy to Clipboard Toggle word wrap
  3. Start the instance: 
    # dsctl instance_name start
    Copy to Clipboard Toggle word wrap
To export a suffix using the web console:
  1. Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
  2. Select the instance.
  3. Open the Database menu.
  4. Select the suffix entry.
  5. Click Suffix Tasks, and select Export Suffix.
  6. Enter the name of the LDIF file in which you want to store the export. Directory Server will store the file in the /var/lib/dirsrv/slapd-instance_name/ldif/ directory using the specified file name.
    View larger image
  7. Click Export Database.
You can configure that members of a group have permissions to export data. This increases the security because you no longer need to set the credentials of cn=Directory Manager in your scripts. Additionally, you can easily grant and revoke the export permissions by modifying the group.

6.2.3.1. Enabling a Group to Export Data
Copy link

Use this procedure to add the cn=export_users,ou=groups,dc=example,dc=com group and enable members of this group to create export tasks.

Procedure

  1. Create the cn=export_users,ou=groups,dc=example,dc=com group: 
    # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" group create --cn export_users
    Copy to Clipboard Toggle word wrap
  2. Add access control instructions (ACI) that allows members of the cn=export_users,ou=groups,dc=example,dc=com group to create export tasks: 
    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com

dn: cn=config
changetype: modify
add: aci
aci: (target = "ldap:///cn=export,cn=tasks,cn=config")(targetattr="*")
 (version 3.0 ; acl "permission: Allow export_users
  group to export data" ; allow (add, read, search) groupdn
  = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";)
-
add: aci
aci: (target = "ldap:///cn=config")(targetattr =
  "objectclass || cn || nsslapd-suffix || nsslapd-ldifdir")
 (version 3.0 ; acl "permission: Allow export_users
  group to access ldifdir attribute" ; allow
  (read,search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";)
    Copy to Clipboard Toggle word wrap
  3. Create a user:
    1. Create a user account: 
      # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" user create --uid="example" --cn="example" --uidNumber="1000" --gidNumber="1000" --homeDirectory="/home/example/" --displayName="Example User"
      Copy to Clipboard Toggle word wrap
    2. Set a password on the user account: 
      # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" account reset_password "uid=example,ou=People,dc=example,dc=com" "password"
      Copy to Clipboard Toggle word wrap
  4. Add the uid=example,ou=People,dc=example,dc=com user to the cn=export_users,ou=groups,dc=example,dc=com group: 
    # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" group add_member export_users uid=example,ou=People,dc=example,dc=com
    Copy to Clipboard Toggle word wrap

Verification

  • Display the ACIs set on the cn=config: 
    # ldapsearch -o ldif-wrap=no -LLLx -D "cn=Directory Manager" -W -H ldap://server.example.com -b cn=config aci=* aci -s base
dn: cn=config
aci: (target = "ldap:///cn=export,cn=tasks,cn=config")(targetattr="*")(version 3.0 ; acl "permission: Allow export_users group to export data" ; allow (add, read, search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";)
aci: (target = "ldap:///cn=config")(targetattr = "objectclass || cn || nsslapd-suffix || nsslapd-ldifdir")(version 3.0 ; acl "permission: Allow export_users group to access ldifdir attribute" ; allow (read,search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";)
...
    Copy to Clipboard Toggle word wrap

6.2.3.2. Performing an Export as a Regular User
Copy link

You can perform exports as a regular user instead of cn=Directory Manager.

Prerequisites

Procedure

  • Create a export task using one of the following methods:
    • Using the dsconf backend export command: 
      # dsconf -D "uid=example,ou=People,dc=example,dc=com" ldap://server.example.com backend export userRoot
      Copy to Clipboard Toggle word wrap
    • By manually creating the task: 
      # ldapadd -D "uid=example,ou=People,dc=example,dc=com" -W -H ldap://server.example.com

dn: cn=userRoot-2021_07_23_12:55_00,cn=export,cn=tasks,cn=config
changetype: add
objectClass: extensibleObject
nsFilename: /var/lib/dirsrv/slapd-instance_name/ldif/None-userroot-2021_07_23_12:55_00.ldif
nsInstance: userRoot
cn: export-2021_07_23_12:55_00
      Copy to Clipboard Toggle word wrap

Verification

  • Verify that the backup was created: 
    # ls -l /var/lib/dirsrv/slapd-instance_name/ldif/*.ldif
total 0
-rw-------. 1 dirsrv dirsrv 10306 Jul 23 12:55 None-userroot-2021_07_23_12_55_00.ldif
...
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat