IAM appliance - iam-app-directory-server

/data/volumes/directory-server/data - OpenLDAP MDB database

/data/volumes/directory-server/config - OpenLDAP OLC (configuration) database

/data/volumes/directory-server/secrets-pwfiles - bootstrap password for admin and readonly users cn=admin,dc=iamappliance (user administration), cn=admin,cn=config (config administration), cn=cas,dc=iamappliance (read-only user for CAS). If the password don’t exist, package creates them automatically during its installation.

/data/volumes/directory-server/secrets-certs - LDAPS certificate and private key. There are also a chain.pem and dhparam.pem files. DHparam file is generated automatically during the first start of the container.

/data/volumes/directory-server/secrets-enc - Encrypted backups key ldap-backup-symkey.pwfile is located here. File is generated automatically if it does not exist.

/data/volumes/directory-server/backup - Backups are stored here.

/data/logs/directory-server - Logs are stored here.

/data/registry/node-active-config/docker-compose-directory-server.yml - container compose file

/etc/rsyslog.d/10_directory-server.conf - syslog configuration for the container to send logs to dedicated files on the filesystem

/etc/logrotate.d/directory-server - logrotate configuration

systemd unit is located in /usr/lib/systemd/system/iam-directory-server.service so the command systemctl start/stop/enable/disable works as expected.

Start of the service calls docker-compose …​ up, which starts/creates/recreates the container as needed.

Backups

Service does not have any installation dependencies.

Service does not have any runtime dependencies.

First start of the container initializes whole slapd instance. Its configuration is directly in the cn=config inside the LDAP server. Static files in /etc/ldap/schema are used only during this initialization phase and have no other effect.

Auto-generation of dhparam.pem (and other files) is done only on the first init of the LDAP database.

Container contains runit, cron, slapd and syslog-ng so it does not conform to our container requirements wiki. But it is the only sensible way of doing LDAP recovery with running container and stopped slapd.

Make sure you have correct backup. Create special new backup right before the restore operation to preserve original (even if undesirable) state.

If you use encrypted backups and you are planning to change the encryption key, save the original ldap-backup-symkey.pwfile so you can still access your historical backups.

Use slapd-backup-config and slapd-backup-data to backup the LDAP server.

Use slapd-restore-config and slapd-restore-data to restore the LDAP server. Those scripts use slapadd internally and you must delete the original LDAP databases beforehand. Whole restore procedure then looks like this:

root@directory-server:/# rm -r /etc/ldap/slapd.d/cn*
root@directory-server:/# /sbin/slapd-restore-config 20210204T090611-config.gz
root@directory-server:/# rm /var/lib/ldap/*
root@directory-server:/# /sbin/slapd-restore-data 20210204T090615-data.gz