Cloning OpenDJ

I may have mentioned this before: it is possible to “clone” a copy of an existing OpenDJ server to another host and it will work just fine. This is discussed in the Admin Guide under the topics Moving Servers and Changing Server Certificates, which I advise be read in that order. Some special considerations follow.

We (my good friend and colleague Anil Prakash Gupta and I) discovered this almost by accident. Well, Anil discovered it first. Not sure how. But it was definitely an accident on my part.

[root@ldap1 ~]# /opt/opendj/ds-user1/bin/stop-ds
[root@ldap1 ~]# tar czf ds-user1.tgz ds-user1
[root@ldap1 ~]# scp ds-user1.tgz ldap2.example.com/opt/opendj
[root@ldap1 ~]# ssh ldap2.example.com
[root@ldap2 ~]# cd /opt/opendj
[root@ldap2 ~]# tar xzf ds-user1.tgz
[root@ldap2 ~]# /opt/opendj/ds-user1/bin/start-ds

* * *

[11/Feb/2013:15:07:02 -0500] category=CORE severity=NOTICE msgID=458891
msg=The Directory Server has sent an alert notification generated by
class org.opends.server.core.DirectoryServer (alert type org.opends
.server.DirectoryServerStarted, alert ID 458887):
The Directory Server has started successfully

Some things to keep in mind, well 3, actually:

1. Certificates.

2. Replication Agreements.

3. Ports.

All three are pretty obvious. While the core directory service doesn’t really care about the name of the host it is on, all of the certificates used to do things like serve up data over LDAPS, administer the server, or undertake replication do.

So I have 3 recommendations:

1. Before cloning (or applying a clone of) a directory server instance, remove any replication configuration. I actually don’t recommend using a cloned copy of a directory server in a replicated environment. Starting from scratch is safest there.

2. Update all certificates to reflect the new host/service name. That includes both the server and admin (those beginning with “admin-“) cert/trust stores. If you’re going to carry over replication configurations, then the certs in those stores will also need to be updated (these are prefixed “ads-“). And yes, this does make for a lot of work but is actually minimal compared to what it could take to rebuild dozens of indexes and reload tens of thousands of entries.

3. Make sure the ports of the newly arrived clone don’t step on anything already living at its new home address. Check both the LDAP server listening ports (for example 389 and 636), as well as the administrative ports (4444, 5444, or 5445).

Above all, READ THE DOCUMENTATION. OpenDJ’s doc has improved immeasurably over time and the sections covering these operations are actually quite clear and thorough.