Menu Close
Settings Close

Language and Page Formatting Options

6.3. Backing up Directory Server

A backup in Directory Server contains, for example:
  • All database files including the data stored within these databases

    Note

    Directory Server does not support backing up individual databases.
  • The transaction logs
  • The Indices
In contrast to a backup, you can export data as described in Section 6.2, “Exporting Data”. Use the export feature to export specific data, such as a subtree, from a server in the LDAP Data Interchange Format (LDIF) format.

Warning

Do not stop the server during a backup operation.
Directory Server runs the backup task as the dirsrv user. Therefore, the permissions of the destination directory must allow this user to create files.

6.3.1. Backing up All Databases Using the Command Line

Directory Server supports backing up the databases while the instance is running or while the instance is offline:

Important

These methods only back up the databases. For details about backing up other important files, such as the configuration, see Section 6.3.3, “Backing up Configuration Files, the Certificate Database, and Custom Schema Files”.

6.3.1.1. Backing up All Databases While the Server is Running

6.3.1.1.1. Backing up All Databases Using the dsconf backup create Command
Use the dsconf backup create command to automatically create a task that backs up all databases.
# dsconf -D "cn=Directory Manager" ldap://server.example.com backup create
The backup create task has finished successfully
By default, dsconf stores the backup in a subdirectory called instance_name-time_stamp in the /var/lib/dirsrv/slapd-instance_name/bak/ directory. To specify a different location, append a directory name to the command.
6.3.1.1.2. Backing up All Databases Using a cn=tasks entry
The cn=tasks,cn=config entry in the Directory Server configuration is a container entry for temporary entries the server uses to manage tasks. To initiate a backup operation, create a task in the cn=backup,cn=tasks,cn=config entry.
Using a task entry enables you to backup the databases while the server is running.
A backup task entry requires the following attributes:
  • cn: Sets the unique name of the task.
  • nsDatabaseType: Sets the type of the database to back up. Directory Server supports only the ldbm database value in this attribute.
Backup tasks support additional parameters, for example, to specify a different destination directory as the default, /var/lib/dirsrv/slapd-instance_name/bak/. For a complete list, see the cn=backup section in the Red Hat Directory Server Configuration, Command, and File Reference.
For example, to backup all databases and store the archive in the default backup directory:
# ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x

dn: cn=example_backup,cn=export,cn=tasks,cn=config
changetype: add
objectclass: extensibleObject
cn: example_backup
nsDatabaseType: ldbm database
If you not specify the nsArchiveDir attribute, the server stores the backup in a subdirectory called instance_name-time_stamp in the /var/lib/dirsrv/slapd-instance_name/bak/ directory.
When the task is completed, the entry is removed from the directory configuration.

6.3.1.2. Backing up All Databases While the Server is Offline

If the server is offline when you backup databases, use the dsctl db2bak command:
  1. Stop the instance:
    # dsctl instance_name stop
  2. Backup the database:
    # dsctl instance_name db2bak
    db2bak successful

    Note

    The dsctl db2bak command runs as the backup as the dirsrv user. Therefore, the permissions of the destination directory must allow this user to create files and directories.
    If you not append a destination directory to the command, the server stores the backup in a subdirectory called instance_name-time_stamp in the /var/lib/dirsrv/slapd-instance_name/bak/ directory.
  3. Start the instance:
    # dsctl instance_name start

6.3.2. Backup up all Databases Using the Web Console

To back up all databases of an instance using the web console:
  1. Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
  2. Select the instance.
  3. Click the Actions button, and select Manage Backup.
  4. Click Create Backup.
  5. Enter a name for the backup, such as a time stamp to indicate the creation date and time of the backup.
  6. Click Create Backup.
The server stores the backup in a subdirectory with the name you entered in the /var/lib/dirsrv/slapd-instance_name/bak/ directory.

6.3.3. Backing up Configuration Files, the Certificate Database, and Custom Schema Files

The backup mechanism integrated into Directory Server backs up only the databases. However, there are additional files stored in the /etc/dirsrv/slapd-instance_name/ directory which are required to, for example, restore a instance on a different server after a hardware failure.

Note

Backing up the configuration directory is not supported in the web console.

Example 6.2. How to Back up the /etc/dirsrv/slapd-instance_name/ Directory

To back up the content of /etc/dirsrv/slapd-instance_name/, you can copy the directory or store it into an archive file. For example, to store the content of the /etc/dirsrv/slapd-instance_name/ directory in the /root/config_slapd-instance_name_time_stamp.tar.gz file:
# cd /etc/dirsrv/
# tar -zcvf /root/config_slapd-instance_name_$(date +%Y-%m-%d_%H-%M-%S).tar.gz slapd-instance_name/

Important

During the backup, do not update the certificate database. Otherwise, this database might not be consistent in the backup.

6.3.4. Enabling Members of a Group to Back up Directory Server and Performing the Backup as One of the Group Members

You can configure that members of a group have permissions to back up an instance and perform the backup. This increases the security because you no longer need to set the credentials of cn=Directory Manager in your backup script or cron jobs. Additionally, you can easily grant and revoke the backup permissions by modifying the group.

6.3.4.1. Enabling a Group to Back up Directory Server

Use this procedure to add the cn=backup_users,ou=groups,dc=example,dc=com group and enable members of this group to create backup tasks.

Procedure

  1. Create the cn=backup_users,ou=groups,dc=example,dc=com group:
    # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" group create --cn backup_users
  2. Add access control instructions (ACI) that allows members of the cn=backup_users,ou=groups,dc=example,dc=com group to create backup tasks:
    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com
    
    dn: cn=config
    changetype: modify
    add: aci
    aci: (target = "ldap:///cn=backup,cn=tasks,cn=config")(targetattr="*")
     (version 3.0 ; acl "permission: Allow backup_users
      group to create backup tasks" ; allow (add, read, search) groupdn
      = "ldap:///cn=backup_users,ou=groups,dc=example,dc=com";)
    -
    add: aci
    aci: (target = "ldap:///cn=config")(targetattr = "nsslapd-bakdir || objectClass")
     (version 3.0 ; acl "permission: Allow backup_users group
      to access bakdir attribute" ; allow (read,search) groupdn
      = "ldap:///cn=backup_users,ou=groups,dc=example,dc=com";)
  3. Create a user:
    1. Create a user account:
      # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" user create --uid="example" --cn="example" --uidNumber="1000" --gidNumber="1000" --homeDirectory="/home/example/" --displayName="Example User"
    2. Set a password on the user account:
      # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" account reset_password "uid=example,ou=People,dc=example,dc=com" "password"
  4. Add the uid=example,ou=People,dc=example,dc=com user to the cn=backup_users,ou=groups,dc=example,dc=com group:
    # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" group add_member backup_users uid=example,ou=People,dc=example,dc=com

Verification

  • Display the ACIs set on the cn=config entry:
    # ldapsearch -o ldif-wrap=no -LLLx -D "cn=directory manager" -W -H ldap://server.example.com -b cn=config aci=* aci -s base
    dn: cn=config
    aci: (target = "ldap:///cn=backup,cn=tasks,cn=config")(targetattr="*")(version 3.0 ; acl "permission: Allow backup_users group to create backup tasks" ; allow (add, read, search) groupdn = "ldap:///cn=backup_users,ou=groups,dc=example,dc=com";)
    aci: (target = "ldap:///cn=config")(targetattr = "nsslapd-bakdir || objectClass")(version 3.0 ; acl "permission: Allow backup_users group to access bakdir attribute" ; allow (read,search) groupdn = "ldap:///cn=backup_users,ou=groups,dc=example,dc=com";)
    ...

6.3.4.2. Performing a Backup as a Regular User

You can perform backups as a regular user instead of cn=Directory Manager.

Prerequisites

Procedure

  • Create a backup task using one of the following methods:
    • Using the dsconf backup create command:
      # dsconf -D uid=example,ou=People,dc=example,dc=com ldap://server.example.com backup create
    • By manually creating the task:
      # ldapadd -D uid=example,ou=People,dc=example,dc=com -W -H ldap://server.example.com
      
      dn: cn=backup-2021_07_23_12:55_00,cn=backup,cn=tasks,cn=config
      changetype: add
      objectClass: extensibleObject
      nsarchivedir: /var/lib/dirsrv/slapd-instance_name/bak/backup-2021_07_23_12:55_00
      nsdatabasetype: ldbm database
      cn: backup-2021_07_23_12:55_00

Verification

  • Verify that the backup was created:
    # ls -l /var/lib/dirsrv/slapd-instance_name/bak/
    total 0
    drwx------. 3 dirsrv dirsrv 108 Jul 23 12:55 backup-2021_07_23_12_55_00
    ...