LDAP/Active Directory Enterprise Bacula Plugin Quick Guide

This Quick Guide presents techniques and strategies to backup LDAP and Microsoft AD servers with Bacula Enterprise Edition Plugin.

The LDAP/AD plugin was designed to perform a backup and restore of single LDAP object, incremental, differential and full backups.

It uses the standard LDAP network protocol and the standard schema to search and fetch objects so it should support a variety of different LDAP servers in addition to the OpenLDAP server.

The LDAP/AD Plugin is client-less and doesn’t require to be installed on the LDAP or Windows Active Directory machine. The Bacula Server machine or any other Linux with a network connection to the LDAP or Microsoft Active Directory server can be used to perform the granular objects backup and restore.

The plugin supports Bacula Job Accurate configuration (find deleted objects), ldaps (SSL) communication with LDAP server, and MS Active Directory server (Windows 2003, Windows 2008, and superior).

Installation

Packages are available for RedHat Enterprise and Debian/Ubuntu. Contact us to receive them.

Install the plugin on a machine with a working Bacula File Daemon (client) and with a network connection to the LDAP or MS Active Directory service. E.g.:

rpm -ivh bacula-enterprise-ldap-plugin

Restart the Bacula client (service bacula-fd restart), so the daemon can load the newly installed plugin.

Configuration

In order to use the LDAP/MSAD plugin, you must setup a configuration file on the File daemon machine that uses the plugin. It contains LDAP/MSAD server connection parameters.

The default configuration file is located at:

• /opt/bacula/etc/ldap.conf for the LDAP plugin and
• /opt/bacula/etc/msad.conf for the MSAD plugin.

And their contents should be similar to this:

#
# Sample config file for the ldap plugin /opt/bacula/etc/ldap.conf
#
LDAPURI = "ldap://192.168.0.100/"
BINDDN = "cn=backup,dc=acme,dc=com"
BINDPASS = "PASSW0RD"
BASEDN = "dc=acme,dc=com"

#
# Sample config file for the msad plugin /opt/bacula/etc/msad.conf 
#
LDAPURI = "ldap://10.41.101.1/"
BINDDN = "Administrator@domain" # or domainAdministrator
BINDPASS = "password"
BASEDN = "dc=domain,dc=com"

You may call a different config file in each FileSet Plugin option definition, in order to backup different directory services bases.

The plugin requires an LDAP/MSAD account with permissions to query and read objects for backup. This account can be an admin account or user account with a backup role.

The BASEDN is the base location (DN) for backup, it could be a ldap server root tree or some other subtree.

LDAP/MSAD plugins create a virtual namespace in Bacula catalog which consists of “ldap:” or “msad:” prefixes and DN tree as a directory tree.

Alternatively, the configuration file parameters can be set at the Bacula FileSet plugin options. However, dealing with special characters in LDAP/MSAD bind user password can be trickier.

Connection Test

To test the connection parameters for the Microsoft AD, you can use the following LDAP command, on shell:

ldapsearch -LLL -x -H 'ldap://10.41.101.1/' -D 'Administrator@domain' 
-w 'password' -b 'DC=domain,DC=com' '(objectClass=*)'

Remark: the LDAP/MSAD plugins perform a single base query to find all files to backup, but the default configuration LDAP and MS AD servers configuration limits the number of records returned by a single query. This limits the number of records Bacula obtains for backup. Consequently, to ensure proper backup of LDAP or MS AD servers, the admin must increase this limit. The required configuration change depends on LDAP or MS AD server type and version. The default Active Directory server is limited to 1000 records. It means if you perform an LDAP search from the command line or an application, the result set will be limited to 1,000 results. The AD administrator should increase the limit with Ntdsutil.exe. Check for MaxPageSize parameter.

FileSet Configuration

By defining all LDAP connection information in the configuration file (/opt/bacula/etc/ldap.conf), you can use the minimum FileSet shown below allows using the LDAP plugin. This configuration can also be done using bweb.

FileSet {
  Name = "FS_LDAP"
  Include {
    Plugin = "ldap"
  }
}

You can also specify a different configuration file on the command line as shown below:

Plugin = "ldap: config=/tmp/ldap.conf"

The following FileSet does not use a configuration file, but tries to pass all necessary directives to the plugin:

Plugin = "msad: ldapuri=ldap://172.23.60.50 binddn=bacula\hfaria bindpass=password basedn="dc=bacula,dc=com,dc=br""

As shown in Figure 1, all these FileSet configurations can be also performed with Bacula bweb. In this case, it is not necessary to escape special characters.

Figure 1. Bweb LDAP/MSAD Plugin Configuration

Plugin Options

The Table 1 lists and describes all the plugin options.

Table 1. LDAP/MSAD Plugin Options

Job Configuration and Test

Create a backup Job that uses the newly created LDAP/MSAD backup FileSet and the same Client that has the loaded plugin.

It is possible to test the backup Job and Filed with the Bacula estimate command. E.g.

* estimate listing job=pluginTest level=Full
Using Catalog "MyCatalog"
Connecting to Client 127.0.0.1-fd at 127.0.0.1:8102
drwxr-xr-x 1 root root   585 2014-03-25 10:12:22 ldap:/dc=com/dc=bacula/dc=database5926/
-rw-r--r-- 1 root root   542 2014-03-25 10:12:22 ldap:/dc=com/dc=bacula/dc=database5926/cn=root
-rw-r--r-- 1 root root   535 2014-03-25 10:12:22 ldap:/dc=com/dc=bacula/dc=database5926/cn=test
2000 OK estimate files=3 bytes=1,077

Restore

To restore a single object or a whole tree you need a working LDAP or MS AD server. The LDAP and MSAD plugins are not designed for Disaster Recovery procedures where the LDAP or MSAD server may not be functional. For Disaster Recovery of an MSAD server, you can use the Bacula Enterprise VSS plugin.

LDAP and MSAD objects are restored like regular files with the Bacula bconsole “restore” command, or graphically with BAT or even bweb. E.g.:

cwd is: /
$ cd ldap:/dc=com/dc=bacula
cwd is: ldap:/dc=com/dc=bacula/
$ dir
-rw-r--r-- 1 root root 568 2012-03-17 08:44:34 ldap:/dc=com/dc=bacula/cn=admin
drwxr-xr-x 1 root root 480 2012-03-11 19:30:55 ldap:/dc=com/dc=bacula/ou=Accounting/
drwxr-xr-x 1 root root 491 2012-03-11 19:28:49 ldap:/dc=com/dc=bacula/ou=Administrative/
drwxr-xr-x 1 root root 494 2012-03-11 19:28:49 ldap:/dc=com/dc=bacula/ou=Human Resources/
drwxr-xr-x 1 root root 479 2012-03-11 19:28:49 ldap:/dc=com/dc=bacula/ou=Janitorial/
drwxr-xr-x 1 root root 479 2012-03-11 19:32:18 ldap:/dc=com/dc=bacula/ou=Management/
drwxr-xr-x 1 root root 470 2012-03-11 19:28:49 ldap:/dc=com/dc=bacula/ou=Payroll/
drwxr-xr-x 1 root root 464 2012-03-11 19:28:49 ldap:/dc=com/dc=bacula/ou=Peons/
drwxr-xr-x 1 root root 506 2012-03-11 19:30:55 ldap:/dc=com/dc=bacula/ou=Product Development/
drwxr-xr-x 1 root root 494 2012-03-11 19:28:49 ldap:/dc=com/dc=bacula/ou=Product Testing/
drwxr-xr-x 1 root root 450 2012-03-05 20:55:47 ldap:/dc=com/dc=bacula/ou=groups/
drwxr-xr-x 1 root root 448 2012-03-06 14:11:20 ldap:/dc=com/dc=bacula/ou=hosts/
drwxr-xr-x 1 root root 450 2012-04-10 10:48:32 ldap:/dc=com/dc=bacula/ou=people/
$ add "ou=Product Testing"
121 files marked.
$ cd ou=people
cwd is: ldap:/dc=com/dc=bacula/ou=people/
$ dir
-rw-r--r-- 1 root root 1006618 2012-04-10 10:48:32 ldap:/dc=com/dc=bacula/ou=people/uid=john
$ add *
1 file marked.

You can change the restore subtree using a “where=” parameter during the restore command. It should contain a relocation DN, i.e:

where = "dc=restore,dc=example,dc=com"

Reference

LDAP/MSAD Plugin – Bacula Enterprise Edition. http://baculasystems.com

Disponível em: Português (Portuguese (Brazil))EnglishEspañol (Spanish)