Provisioning Importing data Restoring From LDIF Exporting data Backup LDIF Import LDIF Export LDAP Data Interchange Format provides a mechanism for representing directory data in text format. LDIF data is typically used to initialize directory databases, but also may be used to move data between different directories that cannot replicate directly, or even as an alternative backup format. This chapter shows you how to import and export LDIF. This chapter also covers creating test data in LDIF format, and manipulating LDIF data with command-line tools.

When you install OpenDJ, you have the option of importing sample data that is generated during the installation. This procedure demonstrates how to generate LDIF by using the make-ldif command. Importing data Test data The make-ldif command uses templates to provide sample data. Default templates are located in the OpenDJ/config/MakeLDIF/ directory. The example.template file can be used to create a suffix with entries of the type inetOrgPerson. You can do the equivalent in OpenDJ Control Panel (Directory Data > New Base DN... > Import Automatically Generated Example Data). Write a file to act as the template for your generated LDIF. The resulting test data template depends on what data you expect to encounter in production. Base your work on your knowledge of the production data, and on the sample template, OpenDJ/config/MakeLDIF/example.template, and associated data. See make-ldif.template for reference information about template files. Create additional data files for the content in your template to be selected randomly from a file, rather than generated by an expression. Additional data files are located in the same directory as your template file. Decide whether you want to generate the same test data each time you run the make-ldif command with your template. If so, provide the same randomSeed integer each time you run the command. Before generating a very large LDIF file, make sure you have enough space on disk. Run the make-ldif command to generate your LDIF file. $ make-ldif \ --randomSeed 0 \ --templateFile /path/to/my.template \ --ldifFile /path/to/generated.ldif Processed 1000 entries Processed 2000 entries ... Processed 10000 entries LDIF processing complete. 10003 entries written

You can use OpenDJ Control Panel to import data (Directory Data > Import LDIF) and to export data (Directory Data > Export LDIF). The following procedures demonstrate how to use the import-ldif and export-ldif commands. The most efficient method of importing LDIF data is to take the OpenDJ server offline. Alternatively, you can schedule a task to import the data while the server is online. If you do not want to use the default userRoot backend, create a new JE backend for your data. See for details. The following example imports dc=example,dc=org data into the userRoot backend, overwriting existing data. If you want to speed up the process—for example because you have millions of directory entries to import—first shut down the server, and then run the import-ldif command. $ stop-ds $ import-ldif \ --includeBranch dc=example,dc=org \ --backendID userRoot \ --ldifFile /path/to/generated.ldif If not, schedule a task to import the data while online. $ import-ldif \ --port 4444 \ --hostname opendj.example.com \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --includeBranch dc=example,dc=org \ --backendID userRoot \ --ldifFile /path/to/generated.ldif \ --trustAll Notice that the task is scheduled through communication over SSL on the administration port, by default 4444. You can schedule the import task to start at a particular time using the --start option. The --trustAll option trusts all SSL certificates, such as a default self-signed certificate used for testing. The following example exports dc=example,dc=org data from the userRoot backend. If you want to speed up export, first shut down the server, and then export data using the export-ldif command. $ stop-ds $ export-ldif \ --includeBranch dc=example,dc=org \ --backendID userRoot \ --ldifFile /path/to/backup.ldif If not, schedule a task to export the data while online. $ export-ldif \ --port 4444 \ --hostname opendj.example.com \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --includeBranch dc=example,dc=org \ --backendID userRoot \ --ldifFile /path/to/backup.ldif \ --start 20111221230000 \ --trustAll The --start 20111221230000 option tells OpenDJ to start the export at 11 PM on December 21, 2012. If OpenDJ is stopped at this time, then when you start OpenDJ again, the server attempts to perform the task after starting up.

LDIF Tools This section demonstrates the ldifsearch, ldifmodify and ldif-diff commands.

The ldifsearch command lets you search LDIF files in a similar way to how you search LDAP directories with the ldapsearch command. $ ldifsearch \ --baseDN dc=example,dc=org \ --ldifFile generated.ldif \ "(sn=Grenier)" \ mobile dn: uid=user.4630,ou=People,dc=example,dc=org mobile: +1 728 983 6669 The --ldifFile ldif-file option replaces the --hostname and --port options used to connect to an LDAP directory. Otherwise the command syntax and LDIF output is familiar to ldapsearch users.

The ldifmodify command lets you apply changes to LDIF files, generating a new, changed version of the original file. $ cat changes.ldif dn: uid=user.0,ou=People,dc=example,dc=org changetype: modify replace: description description: This is the new description for Aaccf Amar. - replace: initials initials: AAA $ ldifmodify \ --sourceLDIF generated.ldif \ --changesLDIF changes.ldif \ --targetLDIF new.ldif Notice that the resulting new LDIF file is likely to be about the same size as the source LDIF file.

The ldif-diff command reports differences between two LDIF files in LDIF format. $ ldif-diff --sourceLDIF old.ldif --targetLDIF new.ldif dn: uid=user.0,ou=People,dc=example,dc=org changetype: modify add: initials initials: AAA - delete: initials initials: ASA - add: description description: This is the new description for Aaccf Amar. - delete: description description: This is the description for Aaccf Amar. As the ldif-diff command reads both files into memory, constructing tree maps to perform the comparison, the command is designed to work with small files and fragments. The command can quickly run out of memory when calculating differences between large files.

Database backend Creating OpenDJ stores your directory data in a backend. Backends are what you backup and restore. By default, OpenDJ stores your data in a backend named userRoot. You can create new backends using the dsconfig create-backend command. The following example creates a local backend named testData. $ dsconfig create-backend --backend-name testData --type local-db >>>> Configuring the "base-dn" property Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN. Syntax: DN Enter a value for the "base-dn" property: dc=example,dc=org Enter another value for the "base-dn" property [continue]: >>>> Configuring the "enabled" property Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations. Select a value for the "enabled" property: 1) true 2) false ?) help q) quit Enter choice: 1 >>>> Configure the properties of the Local DB Backend Property Value(s) -------------------------------------- 1) backend-id testData 2) base-dn "dc=example,dc=org" 3) compact-encoding true 4) db-cache-percent 10 5) db-cache-size 0 b 6) db-directory db 7) enabled true 8) index-entry-limit 4000 9) writability-mode enabled ?) help f) finish - create the new Local DB Backend q) quit Enter choice [f]: The Local DB Backend was created successfully Alternatively, you can create a new backend in OpenDJ Control Panel (Directory Data > New Base DN > Backend > New Backend: backend-name).

Database backend Setting disk space thresholds Directory data growth depends on applications that use the directory. As a result, when directory applications add more data than they delete, the local database backend grows until it fills the available disk space. The system can end up in an unrecoverable state if no disk space is available. Local database backends therefore have advanced properties, disk-low-threshold and disk-full-threshold. When available disk space falls below disk-low-threshold, OpenDJ server only allows updates from users and applications that have the privilege to bypass-lockdown. When available space falls below disk-full-threshold, OpenDJ server stops allowing updates, instead returning an UNWILLING_TO_PERFORM error to each update request. OpenDJ server continues to apply replication updates without regard to the thresholds. OpenDJ server can therefore fill available disk space despite the thresholds, by accepting replication updates made on other servers. You can give yourself more time to react to the situation both by monitoring directory data growth and also by increasing the thresholds. If growth across the directory service tends to happen quickly, set the thresholds higher than the defaults to allow more time to react when growth threatens to fill the disk. The following example sets disk-low-threshold to 2 GB disk-full-threshold to 1 GB for the userRoot local backend. $ dsconfig \ set-backend-prop \ --hostname opendj.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --backend-name userRoot \ --set "disk-low-threshold:2 GB" \ --set "disk-full-threshold:1 GB" \ --trustAll \ --no-prompt The properties disk-low-threshold and disk-full-threshold are listed as "advanced" properties. To examine their values with the dsconfig command, use the --advanced option as shown in the following example. $ dsconfig \ get-backend-prop \ --advanced \ --hostname opendj.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --backend-name userRoot \ --property disk-low-threshold \ --property disk-full-threshold \ --trustAll \ --no-prompt Property : Value(s) --------------------:--------- disk-full-threshold : 1 gb disk-low-threshold : 2 gb

Database backend Updating In addition to letting you create new backends as described in , OpenDJ lets you add a new base DN to an existing backend. The following example adds the suffix o=example to the existing backend userRoot. $ dsconfig \ set-backend-prop \ --hostname opendj.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --backend-name userRoot \ --add base-dn:o=example \ --trustAll \ --no-prompt $ dsconfig \ get-backend-prop \ --hostname opendj.example.com \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --backend-name userRoot \ --property base-dn \ --trustAll \ --no-prompt Property : Value(s) ---------:------------------------------- base-dn : "dc=example,dc=com", o=example Alternatively, you can update an existing backend in OpenDJ Control Panel (Directory Data > New Base DN, then select the existing backend from the dropdown Backend list, and enter the new Base DN name).

Database backend Deleting You delete a database backend by using the dsconfig delete-backend command. When you delete a database backend by using the dsconfig delete-backend command, OpenDJ does not actually remove the database files for two reasons. First, a mistake could potentially cause lots of data to be lost. Second, deleting a large database backend could cause severe service degradation due to a sudden increase in I/O load. Instead, after you run the dsconfig delete-backend command you must also manually remove the database backend files. If you do run the dsconfig delete-backend command by mistake and have not yet deleted the actual files, then you can recover from the mistake by creating the backend again, reconfiguring the indexes that were removed, and rebuilding the indexes as described in the section on Configuring & Rebuilding Indexes.