How to copy LDAP records from one OpenDJ server to another

To copy the LDAP records from an OpenDJ server to another (e.g. after a clean install) you first need to copy the required LDAP schema files, then the LDAP directory data:

Step 1

Make sure the target OpenDJ server is created with a baseDN (also called suffix or naming context) that matches the base DN of the source OpenDJ server.

The setup base DN can be displayed with the following command, under the userRoot backend ID:

$ opendj/bin/list-backends
Backend ID     : Base DN
---------------:--------------------
adminRoot      : cn=admin data
ads-truststore : cn=ads-truststore
backup         : cn=backups
config         : cn=config
monitor        : cn=monitor
schema         : cn=schema
tasks          : cn=tasks
userRoot       : "dc=wonderland,dc=net"

Step 2

The target LDAP server must be stopped before new schemas can be installed:

$ opendj/bin/stop-ds

Step 3

Copy the following schema files from the source OpenDJ server

opendj/config/schema/90-oidc-client.ldif
opendj/config/schema/91-oidc-authz.ldif
opendj/config/schema/92-srp.ldif

to the opendj/config/schema directory of the target OpenDJ server.

Note that the source OpenDJ server may be running or offline.

Step 4

Export the LDAP records from the source OpenDJ server to a standard LDIF file:

$ opendj/bin/export-ldif -n userRoot -l records.ldif

You can check the export-ldif manual for additional options.

Step 5

Import the LDIF record dump into the target server:

$ opendj/bin/import-ldif -n userRoot -l records.ldif

You can check the import-ldif manual for additional options.

Step 6

Start the LDAP server with

opendj/bin/start-ds

Notes

To browse and edit the contents of an LDAP directory we recommend the excellent Apache Directory Studio.

Please note that the persisted LDAP data used by a running Connect2id Server should not be modified directly with an LDAP tool:

  • The changes will most likely not be seen due to the Connect2id Server’s caching of data;

  • You also run the risk of corrupting the data as the LDAP record values are not checked by the server.

To modify existing client registrations or persisted authorisations use their RESTful web APIs instead.