T 3.111 Inadequate separation of offline and online access to OpenLDAP

For accessing the data managed using OpenLDAP, i.e. objects in the directory service and configuration settings, there are the following access options:

• via the LDAP log using the ldap* tools with the slapd server running (also referred to as online access),
• via direct access to the database files of the BerkeleyDB using the slap*tools of OpenLDAP irrespective of the slapd server (also referred to as offline access),
• by means of database manipulation using the BerkeleyDB tools of Oracle and
• by means of direct manipulation of configuration files in the file system.

Here, the different access options and tools fulfil partially or completely identical functions. If the access options mixed or if the respective method of operation is not understood, numerous error situations might occur.

Examples:

• In a company, the records stored by OpenLDAP are backed up in the LDIF format using the slapcat offline tool. For a restoration, the administrator tries to load the data backup in the empty database of a running OpenLDAP instance using the ldapadd application. The fact that the export using slapcat has backed up the records in the order in which they can be found physically in the database is overlooked in this case. ldapadd, the ldap* tool, however, expects the records according to the hierarchical directory structure. The import results in an inconsistent database, as "ldapadd" tries to insert records whose superior entries were not yet imported.
• An OpenLDAP user carried out the data backups and restoration of the databases using the BerkeleyDB tools. The user bypasses OpenLDAP backing up the database using the "db_dump" program and reinstalling the data using "db_load". Since application-specific time stamps cannot be recovered correctly during this backup, the recovered database is inconsistent and cannot be used by OpenLDAP.