LLDAP•3mo ago

Migrating from seed file

Howdy, I have an older install of lldap that has been running just swell. I have recently started to migrate this to a more modern version, and from docker to kubernetes. My issue seems to be that when I originally stood up lldap [v0.4.3-alpine:252132430cdbf22f3c8e549e1826f9c68ae0e6ae] I just let it generate a seed key file, and from searching around, it appears that a key string is preferred, but it is impossible to convert my current database of users from keyfile to keystring?

Has anyone come up with a good way around this? I think plan A is to just somehow mount this keyfile secret I have to any pods lldap needs in the new setup. Plan B is to start a new DB, migrate all the users, and make them all reset their passwords. Looking for any thoughts or opinions or documentation on how to tackle this?

Solution

Not without resetting the passwords, no

Jump to solution

charlesOP•10/7/25, 5:21 PM

[I am migrating stuff with backup data, leaving production alone. I have a few canary users and a little test script to ensure consistency.]

nitnelave•10/7/25, 5:22 PM

If you lose (or change) the secret, it will appear as if all the passwords are wrong

nitnelave•10/7/25, 5:22 PM

You can "delete" (not mount) the key file, and set a key seed. You'll get some startup errors to confirm that you really want to do this

nitnelave•10/7/25, 5:23 PM

And you will need to force reset the admin password (there are some options for that)

nitnelave•10/7/25, 5:23 PM

And then every user needs to reset their password

nitnelave•10/7/25, 5:23 PM

No need for a "migration", you can use the DB as is

charlesOP•10/7/25, 5:24 PM

Aye, so it is impossible to go from this keyfile I have to a keystring?

Solution

nitnelave•10/7/25, 5:24 PM

Not without resetting the passwords, no

nitnelave•10/7/25, 5:25 PM

(well, technically it's invalidating them, not resetting them)

charlesOP•10/7/25, 5:25 PM

Aye sounds good, probably not a bad practice to rotate, it's been a few years.

charlesOP•10/8/25, 3:53 PM

Feel free to delete if it's not allowed, but I did a little write up about my migration experience if it's useful at all: https://slothlogistics.wordpress.com/2025/10/08/whales-to-k8s-a-migration-tale-part-1-lldap/

Open to any feedback, or being pummeled with rocks for such a silly workaround.

sloth logisticslkmhaqer

Whales to k8s A Migration Tale Part 1: lldap

We’ve been playing with kubernetes for a couple of years off and on now at the SlothLogistics Labs. After juggling a couple of hosts and docker-compose files manually, and with tools like lon…

nitnelave•10/8/25, 4:04 PM

Thanks for writing this article! This looks like a good description of an upgrade/migration of LLDAP, it should be pretty helpful for others

The only nit that I have is that the key file is supported, just not encouraged

nitnelave•10/8/25, 4:05 PM

Do you want to post this in #projects for greater visibility?

charlesOP•10/8/25, 4:47 PM

Can do, happy to reword that section as well, that helps my understanding