[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Delete contents of LDAP Database



Clemson, Chris \(IHG\) writes:
>> on a regular (possibly daily) basis I need to reimport
>> everything, and make sure that old entries are not lingering.
>> (...)
> Just after writing this, I seem to have found my answer with a properly
> crafted ldapdelete command:
>
> ldapdelete -x -D "cn=Manager,dc=emea,dc=corp,dc=local" -w password -r
> "dc=root,dc=com"

Actually that sounds like a bad solution to your problem.  Instead of
the search failing, your clients will receive wrong information until
you've rebuilt your database.  That is, they'll be told that some people
or users/groups or whatever you use your directory for, do not exist in
your organization.

At our site we instead run a diff-ldif script: It takes a full LDIF dump
of the current and the desired database, and produces an LDIF file which
can be fed to ldapmodify.  There are a few scripts like that around.  I
could attach ours, but it's old, tailored for our site, and uses gobs of
memory (for both LDIFs).  Try googling for a newer one first:-)

Anyway, an alternative if you use the cn=config database is to slapadd a
new database off-line and then point your running slapd's database
directory at it without taking down slapd.  That gives you an "atomic"
update of the database.  All your clients notice is a brief wait for all
outstanding operations to complete before the change can take place.

It's cumbersome though, unless someone can think of a simpler way:

Preparation:

- Put 'database config' in slapd.conf and a rootpw for it.  It has
  default rootdn cn=config.  See man slapd-config.

- If you have a DB_CONFIG file (you should), you may want to copy its
  contents to dbconfig directives in slapd.conf.  That way you won't
  need to copy the DB_CONFIG file around when you create a new database
  directory.

- Create a cn=config directory with slapd -f slapd.conf file -F config
  directory.  From now on start slapd with that -F instead of -f
  slapd.conf.  (Or if you prefer slapd.conf you can make its database
  'directory' directive refer to a symlink which you must keep updated
  to refer to the correct directory, or something like that.)

Replacing database contents:

- Make a new database directory where you'll build your new database.
  Copy DB_CONFIG if you didn't put it in dbconfig directives as above.

- Make a copy of your configuration, and modify it to use the new
  database directory.  Make sure it won't touch the running slapd's
  data, and that it won't do any replication or other magic.

- slapadd -F new-config -l new-data.ldif.
  Or if you are using overlays which you want to take effect while
  adding data: Start another slapd with arguments -F new-config -h
  ldapi://<URL-escaped private socket file for that slapd>. ldapadd -H
  <same ldapi URL> -f new-data.ldif.  Then stop that slapd.

- Finally you can ldapmodify attribute olcDbDirectory of entry
  olcDatabase={1}bdb,cn=config (assuming it's the first database) so it
  refers to your new database directory.  slapd closes the old database
  and opens the new one.  If using slapd.conf, update the directory
  symlink as mentioned above.

-- 
Hallvard