How to: manually restore LDAP from backup

How to manually restore LDAP from backup on a single Server


  1. You need a LDAP backup as ldif (f.e. by using univention-ldap-backup)
  2. You need a backup of secret files of the time the ldap backup comes from! (If server_password_change was done meanwhile)

Note: All changes after the used backup will be lost!
Instead of deleting you can move the files if this feels more save for you.

Step 1

Before restoring the LDAP, please stop all LDAP and Samba related services with the following commands:

service slapd stop
service univention-directory-listener stop
service univention-directory-notifier stop
service univention-s4-connector stop
service samba stop

Step 2 (optional only if Samba AD is used)

If you use an Samba Active Directory it is essential to let Samba allocate the User SID while importing. To do so you have to set the Univention registry variable “sid_to_s4” to true by the following command:

ucr set --force connector/s4/mapping/sid_to_s4='true'

Step 3

Now delete the old LDAP and restore the configuration files from UCR

rm -r /var/lib/univention-ldap/ldap/*
ucr commit /var/lib/univention-ldap/ldap/DB_CONFIG

Step 4

Check if you need a backup of the secret files by reading /var/log/univention/server_password_change.log if change took place between now and ldap backup.

If yes you need to copy the following files back out of the backup onto the server, replacing any existing files:


Step 5

Unpack and import the latest LDAP backup:

gzip -d /mnt/backup/var/univention-backup/ldap-backup_<DATE>.ldif.gz
slapadd -l /mnt/backup/var/univention-backup/ldap-backup_<DATE>.ldif
service  slapd start

Step 6

Empty the cache of the Univention Directory Listener:

rm -r /var/lib/univention-directory-listener/*

Step 7 (optional only if you use an old backup)

If you are using an older backup, you might have to reset the password of the UCS Master machine account with the following command:

udm computers/domaincontroller_master modify \
--binddn uid=Administrator,cn=users,$(ucr get ldap/base) \
--bindpwd <Administrator Passwort> \
--dn $(ucr get ldap/hostdn) \
--set password=$(cat /etc/machine.secret)

Step 8

Lastly, we have to reinitialize Samba/AD. You will have to edit the file

vi /usr/lib/univention-install/.index.txt

and remove any line starting with any of the following. Please note, that entries can occur more than once, but not all entries have to be present:


Step 9

Now, the directory listener and notifier can be restarted:

service univention-directory-notifier start
service univention-directory-listener start

Now go to the Univention Management Console. In the computer menu, select the UCS Master. Then go to “Advanced Settings” tab. In the service, section remove the entries for “Samba 4” and “S4 Connector” and save the changes.

Step 10

Execute the outstanding join scripts and commit all ucr files to restore Samba/AD and all changes done by LDAP policies

ucr commit

You should be back on old status; sync to samba may take a while.