On 7/24/07, openldap <email@example.com> wrote:
version on the main server: openldap-2.2.17
Upgrade to 2.3.x.
on this site, we use openldap to manage the entire mail system. we do a
backup of the directory each night at 1 o'clock. the ldap service is
distributed on three servers, which are kept synced by the slurp daemon.
If you upgrade to 2.3.x, you should switch to syncrepl.
Before doing the backup, we restart the main openldap server with a
configuration with "readonly on" set for the directory database:
Why ? E.g., if you are using ldbm, switch to bdb. Or, do you require a
point-in-time backup ?
Then we do
/usr/local/openldap/etc/openldap/slapd.conf -l $HOME/backup/backup_file
After having done that, we restart the openldap server with a
configuration with "readonly off" set for the directory database:
This means: we are using the normal restart procedure from the
/etc/init.d directory, because the openldap server may not have (?) a
reload feature via the SIGHUP signal to make it reread the config-file.
In 2.3.x, you can do some configuration changes over the wire (in 2.4,
you can/will be able to do all configuration changes over the wire).
Every now and then, we get a message from the postfix server, that the
ldap server has not been accessible, when it tried to retrieve
mail-parameters in the time between 1.00 and 1.09 in the night
("temporary lookup failure"), which means that the openldap server
during this time cannot be accessed. This seems a very long time (9
Well, if you have 2 slaves, why are you worried about this?
can i set and clear the readonly flag for the directory using a direct
command to the server, in order not to have to restart the server twice?
Not on 2.2.x.
can i omit to set the readonly flag altogether before doing the slapcat?
If you are using bdb, yes (but, you should upgrade, there were some
bugs that might hit you - especially if you run the slapcat as root).
is there another method to restart the openldap server much faster than
via this method? e.g. can i send the openldap server a SIGHUP flag
directly and not go through the /etc/init.d/ldap restart procedure?
Not on 2.2.x. But, I am quite sure startup isn't taking 9 minutes (or
even 4.5 minutes each time), so it might be that your LDAP server
isn't responding due to excessive disk IO during your slapcat.
You should consult your monitoring system to see what the load
averages are like, how much IO you're doing at the time, or test this
on a development system.
If it is in fact the disk IO, then most likely you need more database
cache (if you are using bdb, which you should).