Backup a Forgerock DS LDAP directory

La version de cet article en français est disponible (for a French version of this please go) ici.

Backup is a critical part of the IS.

LDAP directories are no different and it is important to know how to backup and restore their content.

This article talks about the Forgerock DS LDAP (DS for Directory Server, was called opendj before, was easier for Google search, but anyway).

Forgerock backstage shares many KB with us on this topic, for instance:

• How do I design and implement my backup and restore strategies for DS 5.x, 6.x and OpenDJ 3.x?

• FAQ: Backup and restore in DS 5.x, 6.x and OpenDJ 3.x

What we're going to describe below has been tested on a Forgerock DS 6.5 ldap directory. We can see that Forgerock DS 7 comes with updates on this topic as you can see in https://backstage.forgerock.com/docs/ds/7/release-notes/whats-new.html#whats-new-700 "New, simplified implementation with cloud storage support". I hope we'll talk about this in another post.

As mentioned in the first KB above, backuping a DS server requires backuping files and exporting the data contained in the directory. Backuping the files should not be a problem, I'll focus on backuping the data.

Here's our first attempt for a script that can do the trick:

#!/usr/bin/bash

# forgerock DS backup script

# opendj backup script

DS_HOME="/path/to/ds"

DS_HOSTNAME="FQDN.of.DS.server"

DS_ADM_PORT=4444 # default admin port, adapt to your need

DS_ADM_LOGIN="cn=directory manager" # please don't do this, it works but this is BAD! (please read below)

DS_ADM_PWD="very nice and secured password" # if you use the admin account, anyone that can read your script can now have unlimited access to your server

DS_BKP_REP="/path/where/backups/are/kept"

# all those lines above just to do this:

${DS_HOME}/bin/backup --hostname $DS_HOSTNAME \

--port $DS_ADM_PORT \

--bindDN "$DS_ADM_LOGIN" \

-w "$DS_ADM_PWD"

--backUpAll \

--backupDirectory "${DS_BKP_REP}/backends \

--trustAll

As I mentioned in the script comments, using the admin account (cn=directory manager) in the backup script is simple but dangerous.

So, let's create a dedicated account for backup!

Everyone knows that you have to RTFM, so let's go and read https://backstage.forgerock.com/docs/ds/6.5/security-guide/#table-directory-managers... here are the important details:

Back up and restore directory data

• File system access for backup data and exported LDIF;

• access to create entries under cn=tasks;

• DS server privileges: backend-backup, backend-restore, ldif-export, ldif-import

First step is FS rights, easy. We all know the good old chown and we just need to play with it for the DS_BKP_REP folder.

Second step, is not really well documented, I'll talk about this below, please be patient. Anyway I need to handle the 3rd step before.

We'll start with creating a backup account, with this pretty little ldif file that lists all the privileges required (and mentioned in the doc):

#!/usr/bin/bash

# create forgerock ds backup user

# create opendj backup user

dn: uid=backup_user,ou=services,dc=example,dc=com

changetype: add

objectClass: top

objectClass: organizationalPerson

objectClass: inetorgperson

objectClass: person

cn: backup_user

sn: backup_user

uid: backup_user

userPassword: ****

ds-privilege-name: backend-restore

ds-privilege-name: backend-backup

ds-privilege-name: ldif-export

ds-privilege-name: ldif-import

We import the ldif in the ldap directory with an easy ldapmodify or with our favorite LDAP editor.

We can now come back on the 2nd step. We just need to add a global-aci on cn=tasks for our new backup user:

#!/usr/bin/bash

# add global aci to backup user

DS_HOME="/path/to/ds"

DS_HOSTNAME="FQDN.of.DS.server"

DS_ADM_PORT=4444 # default admin port, adapt to your need

DS_ADM_LOGIN="cn=directory manager" # this time this is a one shot script, so you can use this account, unless you have another one with the good rights.

DS_ADM_PWD="very nice and secured password"

BACKUP_USER_DN="uid=backup_user,ou=services,dc=example,dc=com"

${DS_HOME}/bin/dsconfig --hostname $DS_HOSTNAME \

--port $DS_ADM_PORT \

--bindDN "$DS_ADM_LOGIN" \

-w $DS_ADM_PWD \

--trustAll \

set-access-control-handler-prop \

--add global-aci:\(target=\"ldap:///cn=tasks\"\)\(targetattr=\"*\"\)\(version\ 3.0\;\ acl\ \"Service\ Account\ Backup\"\;\ allow\ \(add,write,read,search,compare\)\ userdn=\"ldap:///${BACKUP_USER_DN}\"\;\) \

--no-prompt

We import the ldif in the ldap directory with an easy ldapmodify or with our favorite LDAP editor.

We can now modify the first script to use our new backup user credentials. If we hadn't done all this, we would have encountered the ugly error below, when trying to use the backup command:

You have provided options for scheduling this operation as a task but options provided for connecting to the server's tasks backend resulted in the following error: 'Insufficient Access Rights: The entry ds-task-id=20201101234606219,cn=Scheduled Tasks,cn=Tasks cannot be added due to insufficient access rights'

Joie et bonheur.

If you need to do incremental backups (free hint is that you probably need) it shouldn't be that hard to adapt.

Maybe, we'll talk about how to restore a Forgerock DS backup another time?

Benjamin Sebbah

Please don't hesitate to leave a comment here!