6.2. Exporting Data

LDAP Data Interchange Format (LDIF) files are used to export database entries from the Directory Server databases. LDIF is a standard format described in RFC 2849.

Note

The export operations do not export the configuration information (cn=config), schema information (cn=schema), or monitoring information (cn=monitor).
Exporting data can be useful for the following:
  • Backing up the data in the database.
  • Copying data to another Directory Server.
  • Exporting data to another application.
  • Repopulating databases after a change to the directory topology.
    For example, if a directory contains one database, and its contents should be split into two databases, then the two new databases receive their data by exporting the contents of the old databases and importing it into the two new databases, as illustrated in Figure 6.1, “Splitting a Database Contents into Two Databases”.
    Splitting a Database Contents into Two Databases

    Figure 6.1. Splitting a Database Contents into Two Databases

Warning

Do not stop the server during an export operation.
Directory Server runs the export operations as the dirsrv user. Therefore, the permissions of the destination directory must allow this user to write the file.

6.2.1. Exporting Data into an LDIF File Using the Command Line

Directory Server supports exporting data while the instance is running or while the instance is offline:

Important

Do not export LDIF files to the /tmp or /var/tmp/ directories because of the following reasons:
  • Directory Server uses PrivateTmp feature of systemd by default. If you place LDIF files into the /tmp or /var/tmp/ system directory, Directory Server does not see these LDIF files during import. For more information about PrivateTmp, see systemd.exec(5) man page.
  • LDIF files often contain sensitive data, such as user passwords. Therefore, you must not use temporary system directories to store these files.

6.2.1.1. Exporting a Database While the Server is Running

6.2.1.1.1. Exporting a Databases Using the dsconf backend export Command
Use the dsconf backend export command to automatically create a task that exports data to an LDIF file.
For example, to export the userRoot database:
# dsconf -D "cn=Directory Manager" ldap://server.example.com backend export userRoot
The export task has finished successfully
By default, dsconf stores the export in a file called instance_name_database_name-time_stamp.ldif in the /var/lib/dirsrv/slapd-instance_name/export/ directory. Alternatively, add the -l file_name option to the command to specify a different location.
The dsconf backend export command supports additional options, for example, to exclude a specific suffix. To display all available options, enter:
# dsconf ldap://server.example.com backend export --help
6.2.1.1.2. Exporting a Database Using a cn=tasks Entry
The cn=tasks,cn=config entry in the Directory Server configuration is a container entry for temporary entries the server uses to manage tasks. To initiate an export operation, create a task in the cn=export,cn=tasks,cn=config entry.
Using a task entry enables you to export data while the server is running.
An export task entry requires the following attributes:
  • cn: Sets the unique name of the task.
  • nsInstance: Sets the name of the database to export.
  • nsFilename: Sets the name of the file into which the export should be stored.
Export tasks support additional parameters, for example, to exclude suffixes. For a complete list, see the cn=export section in the Red Hat Directory Server Configuration, Command, and File Reference.
For example, to add a task that exports the content of the userRoot database into the /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif file:
# ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com -x

dn: cn=example_export,cn=export,cn=tasks,cn=config
changetype: add
objectclass: extensibleObject
cn: example_export
nsInstance: userRoot
nsFilename: /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif
When the task is completed, the entry is removed from the directory configuration.

6.2.1.2. Exporting a Database While the Server is Offline

If the server is offline when you export data, use the dsctl db2ldif command:
  1. Stop the instance:
    # dsctl instance_name stop
  2. Export the database into an LDIF file. For example to export the userRoot database into the /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif file:
    # dsctl instance_name db2ldif userroot /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif 
    OK group dirsrv exists
    OK user dirsrv exists
    ldiffile: /var/lib/dirsrv/slapd-instance_name/ldif/example.ldif
    [18/Jul/2018:10:46:03.353656777 +0200] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
    [18/Jul/2018:10:46:03.383101305 +0200] - INFO - ldbm_back_ldbm2ldif - export userroot: Processed 160 entries (100%).
    [18/Jul/2018:10:46:03.391553963 +0200] - INFO - dblayer_pre_close - All database threads now stopped
    db2ldif successful
  3. Start the instance:
    # dsctl instance_name start

6.2.2. Exporting a Suffix to an LDIF File Using the Web Console

To export a suffix using the web console:
  1. Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
  2. Select the instance.
  3. Open the Database menu.
  4. Select the suffix entry.
  5. Click Suffix Tasks, and select Export Suffix.
  6. Enter the name of the LDIF file in which you want to store the export. Directory Server will store the file in the /var/lib/dirsrv/slapd-instance_name/ldif/ directory using the specified file name.
  7. Click Export Database.

6.2.3. Enabling Members of a Group to Export Data and Performing the Export as One of the Group Members

You can configure that members of a group have permissions to export data. This increases the security because you no longer need to set the credentials of cn=Directory Manager in your scripts. Additionally, you can easily grant and revoke the export permissions by modifying the group.

6.2.3.1. Enabling a Group to Export Data

Use this procedure to add the cn=export_users,ou=groups,dc=example,dc=com group and enable members of this group to create export tasks.

Procedure

  1. Create the cn=export_users,ou=groups,dc=example,dc=com group:
    # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" group create --cn export_users
  2. Add access control instructions (ACI) that allows members of the cn=export_users,ou=groups,dc=example,dc=com group to create export tasks:
    # ldapadd -D "cn=Directory Manager" -W -H ldap://server.example.com
    
    dn: cn=config
    changetype: modify
    add: aci
    aci: (target = "ldap:///cn=export,cn=tasks,cn=config")(targetattr="*")
     (version 3.0 ; acl "permission: Allow export_users
      group to export data" ; allow (add, read, search) groupdn
      = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";)
    -
    add: aci
    aci: (target = "ldap:///cn=config")(targetattr =
      "objectclass || cn || nsslapd-suffix || nsslapd-ldifdir")
     (version 3.0 ; acl "permission: Allow export_users
      group to access ldifdir attribute" ; allow
      (read,search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";)
  3. Create a user:
    1. Create a user account:
      # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" user create --uid="example" --cn="example" --uidNumber="1000" --gidNumber="1000" --homeDirectory="/home/example/" --displayName="Example User"
    2. Set a password on the user account:
      # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" account reset_password "uid=example,ou=People,dc=example,dc=com" "password"
  4. Add the uid=example,ou=People,dc=example,dc=com user to the cn=export_users,ou=groups,dc=example,dc=com group:
    # dsidm -D "cn=Directory Manager" ldap://server.example.com -b "dc=example,dc=com" group add_member export_users uid=example,ou=People,dc=example,dc=com

Verification

  • Display the ACIs set on the cn=config:
    # ldapsearch -o ldif-wrap=no -LLLx -D "cn=Directory Manager" -W -H ldap://server.example.com -b cn=config aci=* aci -s base
    dn: cn=config
    aci: (target = "ldap:///cn=export,cn=tasks,cn=config")(targetattr="*")(version 3.0 ; acl "permission: Allow export_users group to export data" ; allow (add, read, search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";)
    aci: (target = "ldap:///cn=config")(targetattr = "objectclass || cn || nsslapd-suffix || nsslapd-ldifdir")(version 3.0 ; acl "permission: Allow export_users group to access ldifdir attribute" ; allow (read,search) groupdn = "ldap:///cn=export_users,ou=groups,dc=example,dc=com";)
    ...

6.2.3.2. Performing an Export as a Regular User

You can perform exports as a regular user instead of cn=Directory Manager.

Prerequisites

Procedure

  • Create a export task using one of the following methods:
    • Using the dsconf backend export command:
      # dsconf -D "uid=example,ou=People,dc=example,dc=com" ldap://server.example.com backend export userRoot
    • By manually creating the task:
      # ldapadd -D "uid=example,ou=People,dc=example,dc=com" -W -H ldap://server.example.com
      
      dn: cn=userRoot-2021_07_23_12:55_00,cn=export,cn=tasks,cn=config
      changetype: add
      objectClass: extensibleObject
      nsFilename: /var/lib/dirsrv/slapd-instance_name/ldif/None-userroot-2021_07_23_12:55_00.ldif
      nsInstance: userRoot
      cn: export-2021_07_23_12:55_00

Verification

  • Verify that the backup was created:
    # ls -l /var/lib/dirsrv/slapd-instance_name/ldif/*.ldif
    total 0
    -rw-------. 1 dirsrv dirsrv 10306 Jul 23 12:55 None-userroot-2021_07_23_12_55_00.ldif
    ...