Re: confusing manpage for slapcat for backup

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Wednesday, 7 April 2010 02:45:46 hai wu wrote:
> I have some questions:
> 
> When I look at manpage for slapcat from openldap-servers-2.3.27-5 in
> Centos5.0, it says:
> 
> LIMITATIONS
>        In general, your slapd(8) should not be running (at least, not in
> read-
>        write mode) when you do this to ensure consistency of the database.
> 
> But when I look at its manpage from openldap-servers-2.3.43-3.el5 in
> Centos5.4, it says:
> 
> LIMITATIONS
>        For some backend types, your slapd(8) should not be running (at
> least,
>        not  in  read-write mode) when you do this to ensure consistency of
> the
>        database. It is always safe  to  run  slapcat  with  the
> slapd-bdb(5),
>        slapd-hdb(5), and slapd-null(5) backends.
> 
> Question 1: Is it always safe to run slapcat with slapd running even for
> openldap-servers-2.3.27-5 in Centos5?

Yes. The documentation was lacking in this regard, and the documentation was 
fixed to be more accurate in later 2.3.x releases such as 2.3.43.

(documentation can also get bug fixes :-)).

> The administration guide for OpenLDAP 2.4 at
> http://www.openldap.org/doc/admin24/maintenance.html explains more on this,
> I quote:
> 
> "2. Periodically run slapcat and back up the LDIF file:
> 
> Slapcat can be run while slapd is active. However, one runs the risk of an
> inconsistent database- not from the point of slapd, but from the point of
> the applications using LDAP. For example, if a provisioning application
> performed tasks that consisted of several LDAP operations, and the slapcat
> took place concurrently with those operations, then there might be
> inconsistencies in the LDAP database from the point of view of that
> provisioning application and applications that depended on it. One must,
> therefore, be convinced something like that won't happen. One way to do
>  that would be to put the database in read-only mode while performing the
>  slapcat. The other disadvantage of this approach is that the generated
>  LDIF files can be rather large and the accumulation of the day's backups
>  could add up to a substantial amount of space.
> 
> You can use *slapcat*(8) to generate an LDIF file for each of your
>  *slapd*(8) back-bdb or back-hdb databases.
> 
>     slapcat -f slapd.conf -b "dc=example,dc=com"
> 
> For back-bdb and back-hdb, this command may be ran while slapd(8) is
> running."
> Question 2: Is the above also true for openldap-servers-2.3.27-5 in
>  Centos5?

Yes, see (1).

> Question 3: How to put the database in read-only mode while performing the
> slapcat? Is there anyone who's doing this just to make sure for consistent
> backup?

It's only really practical if you are using back-config, then you can do an 
LDAP write to cn=config for the database to put it in read-only, do the backup, 
and put it back read-write, without restarting slapd.

However, since 2.1.x, I have been doing hot backups by backing up the Berkeley 
DB files, and the BDB transaction logs, according to the Berkeley DB 
documentation. This should give finer granularity (and thus better consistency 
of the contents). All my test restores worked, but I didn't have too much time 
to test specific point-in-time recovery, and I have never had to do a 
"production" restore.

In 2.0.x days, we *did* restart slapd in read-only, but that was mainly due to 
not having sufficiently reliable replication (syncrepl supplants the need to do 
read-only exports to prime a slave).

To get the best solution, you need to provide your requirements, or test the 
options and decide for yourself.

Regards,
Buchan