openldap/doc/guide/admin/maintenance.sdf

# $OpenLDAP$
# Copyright 2007-2020 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.

H1: Maintenance

System Administration is all about maintenance, so it is only fair that we 
discuss how to correctly maintain an OpenLDAP deployment.


H2: Directory Backups

Backup strategies largely depend on the amount of change in the database
and how much of that change an administrator might be willing to lose in a 
catastrophic failure. There are two basic methods that can be used:

1. Backup the LMDB database itself

The LMDB database can be copied live using the mdb_copy command.  If the database
is a sparse file via the use of the "writemap" environment flag, the resulting
copy will be the actual size of the database rather than a sparse copy.

2. Periodically run slapcat and back up the LDIF file:

Slapcat can be run while slapd is active. However, one runs the risk of an
inconsistent database- not from the point of slapd, but from the point of
the applications using LDAP. For example, if a provisioning application
performed tasks that consisted of several LDAP operations, and the slapcat
took place concurrently with those operations, then there might be
inconsistencies in the LDAP database from the point of view of that
provisioning application and applications that depended on it. One must,
therefore, be convinced something like that won't happen. One way to do that
would be to put the database in read-only mode while performing the
slapcat. The other disadvantage of this approach is that the generated LDIF
files can be rather large and the accumulation of the day's backups could
add up to a substantial amount of space.

You can use {{slapcat}}(8) to generate an LDIF file for each of your {{slapd}}(8) 
back-mdb databases.

>    slapcat -f slapd.conf -b "dc=example,dc=com"

For back-mdb this command may be ran while slapd(8) is running.


H2: Checkpointing

MORE/TIDY

If you put "checkpoint 1024 5" in slapd.conf (to checkpoint after 1024kb or 5 minutes, 
for example), this does not checkpoint every 5 minutes as you may think. 
The explanation from Howard is:

'In OpenLDAP 2.1 and 2.2 the checkpoint directive acts as follows - *when there 
is a write operation*, and more than <check> minutes have occurred since the 
last checkpoint, perform the checkpoint. If more than <check> minutes pass after 
a write without any other write operations occurring, no checkpoint is performed, 
so it's possible to lose the last write that occurred.''

In other words, a write operation occurring less than "check" minutes after the 
last checkpoint will not be checkpointed until the next write occurs after "check" 
minutes have passed since the checkpoint.

This has been modified in 2.3 to indeed checkpoint every so often; in the meantime 
a workaround is to invoke "db_checkpoint" from a cron script every so often, say 5 minutes. 

H2: Migration

The simplest steps needed to migrate between versions or upgrade, depending on your deployment
type are:

.{{S: }}
^{{B: Stop the current server when convenient}}

.{{S: }}
+{{B: slapcat the current data out}}

.{{S: }}
+{{B: Clear out the current data directory (/usr/local/var/openldap-data/)}}

.{{S: }}
+{{B: Perform the software upgrades}}

.{{S: }}
+{{B: slapadd the exported data back into the directory}}

.{{S: }}
+{{B: Start the server}}

Obviously this doesn't cater for any complicated deployments like {{SECT: MirrorMode}} or {{SECT: N-Way Multi-Master}}, 
but following the above sections and using either commercial support or community support should help. Also check the
{{SECT: Troubleshooting}} section.