How to manually restore LDAP from backup on a single Server
- You need a LDAP backup as ldif (f.e. by using univention-ldap-backup)
- You need a backup of secret files of the time the ldap backup comes from! (If server_password_change was done meanwhile)
Note: All changes after the used backup will be lost!
Instead of deleting you can move the files if this feels more save for you.
Before restoring the LDAP, please stop all LDAP and Samba related services with the following commands:
service slapd stop service univention-directory-listener stop service univention-directory-notifier stop service univention-s4-connector stop service samba stop
Step 2 (optional only if Samba AD is used)
If you use an Samba Active Directory it is essential to let Samba allocate the User SID while importing. To do so you have to set the Univention registry variable “sid_to_s4” to true by the following command:
ucr set --force connector/s4/mapping/sid_to_s4='true'
Now delete the old LDAP and restore the configuration files from UCR
rm -r /var/lib/univention-ldap/ldap/* ucr commit /var/lib/univention-ldap/ldap/DB_CONFIG
Check if you need a backup of the secret files by reading /var/log/univention/server_password_change.log if change took place between now and ldap backup.
If yes you need to copy the following files back out of the backup onto the server, replacing any existing files:
/etc/backup-join.secret /etc/idp-ldap-user.secret /etc/ldap-backup.secret /etc/ldap.secret /etc/libnss-ldap.secret /etc/listfilter.secret /etc/machine.secret /etc/pam_ldap.secret /etc/slave-join.secret
Unpack and import the latest LDAP backup:
gzip -d /mnt/backup/var/univention-backup/ldap-backup_<DATE>.ldif.gz slapadd -l /mnt/backup/var/univention-backup/ldap-backup_<DATE>.ldif service slapd start
Empty the cache of the Univention Directory Listener:
rm -r /var/lib/univention-directory-listener/*
Step 7 (optional only if you use an old backup)
If you are using an older backup, you might have to reset the password of the UCS Master machine account with the following command:
udm computers/domaincontroller_master modify \ --binddn uid=Administrator,cn=users,$(ucr get ldap/base) \ --bindpwd <Administrator Passwort> \ --dn $(ucr get ldap/hostdn) \ --set password=$(cat /etc/machine.secret)
Lastly, we have to reinitialize Samba/AD. You will have to edit the file
and remove any line starting with any of the following. Please note, that entries can occur more than once, but not all entries have to be present:
Now, the directory listener and notifier can be restarted:
service univention-directory-notifier start service univention-directory-listener start
Now go to the Univention Management Console. In the computer menu, select the UCS Master. Then go to “Advanced Settings” tab. In the service, section remove the entries for “Samba 4” and “S4 Connector” and save the changes.
Execute the outstanding join scripts and commit all ucr files to restore Samba/AD and all changes done by LDAP policies
univention-run-join-scripts ucr commit
You should be back on old status; sync to samba may take a while.