How to manually restore LDAP from backup on a single Server
Note 1:
You cannot migrate the ldap from an older UCS version to a newer one!
Note 2:
This procedure is not suitable for resetting a server to a previous state. Only LDAP information will be reset!
On systems with Samba further adjustments are necessary afterwards.
Note 3:
If you have more DCs in your domain; all other servers need to join the domain when this procedure is done.
Please check if you will follow this article as this kind of “backup” is a quite special one. It suites f.e. if you have deleted by a mistake an OU with all subcompoments.
Environment
- You need a LDAP backup as ldif (f.e. by using univention-ldap-backup)
- You need a backup of secret files of the time the ldap backup comes from! (If server_password_change was done meanwhile)
Note: All changes after the used backup will be lost!
Instead of deleting you can move the files if this feels more save for you.
Step 1
Before restoring the LDAP, please stop all LDAP and Samba related services with the following commands:
service slapd stop
service univention-directory-listener stop
service univention-directory-notifier stop
service univention-s4-connector stop
service samba stop
Step 2 (optional only if Samba AD is used)
If you use an Samba Active Directory it is essential to let Samba allocate the User SID while importing. To do so you have to set the Univention registry variable “sid_to_s4” to true by the following command:
ucr set --force connector/s4/mapping/sid_to_s4='true'
Step 3
Now delete the old LDAP and restore the configuration files from UCR
rm -r /var/lib/univention-ldap/ldap/*
ucr commit /var/lib/univention-ldap/ldap/DB_CONFIG
Step 4
Check if you need a backup of the secret files by reading /var/log/univention/server_password_change.log if change took place between now and ldap backup.
If yes you need to copy the following files back out of the backup onto the server, replacing any existing files:
/etc/backup-join.secret
/etc/idp-ldap-user.secret
/etc/ldap-backup.secret
/etc/ldap.secret
/etc/libnss-ldap.secret
/etc/listfilter.secret
/etc/machine.secret
/etc/pam_ldap.secret
/etc/slave-join.secret
Step 5
Unpack and import the latest LDAP backup:
gzip -d /mnt/backup/var/univention-backup/ldap-backup_<DATE>.ldif.gz
slapadd -l /mnt/backup/var/univention-backup/ldap-backup_<DATE>.ldif
service slapd start
Step 6
Empty the cache of the Univention Directory Listener:
rm -r /var/lib/univention-directory-listener/*
Step 7 (optional only if you use an old backup)
If you are using an older backup, you might have to reset the password of the UCS Master machine account with the following command:
udm computers/domaincontroller_master modify \
--binddn uid=Administrator,cn=users,$(ucr get ldap/base) \
--bindpwd <Administrator Passwort> \
--dn $(ucr get ldap/hostdn) \
--set password=$(cat /etc/machine.secret)
Step 8
Lastly, we have to reinitialize Samba/AD. You will have to edit the file
vi /usr/lib/univention-install/.index.txt
and remove any line starting with any of the following. Please note, that entries can occur more than once, but not all entries have to be present:
univention-samba4
libunivention-ldb-modules
univention-s4-connector
univention-samba4-dns
Step 9
Now, the directory listener and notifier can be restarted:
service univention-directory-notifier start
service univention-directory-listener start
Now go to the Univention Management Console. In the computer menu, select the UCS Master. Then go to “Advanced Settings” tab. In the service, section remove the entries for “Samba 4” and “S4 Connector” and save the changes.
Step 10
Execute the outstanding join scripts and commit all ucr files to restore Samba/AD and all changes done by LDAP policies
univention-run-join-scripts
ucr commit
You should be back on old status; sync to samba may take a while.