Migrating from seed file
Howdy, I have an older install of lldap that has been running just swell. I have recently started to migrate this to a more modern version, and from docker to kubernetes. My issue seems to be that when I originally stood up lldap [v0.4.3-alpine:252132430cdbf22f3c8e549e1826f9c68ae0e6ae] I just let it generate a seed key file, and from searching around, it appears that a key string is preferred, but it is impossible to convert my current database of users from keyfile to keystring?
Has anyone come up with a good way around this? I think plan A is to just somehow mount this keyfile secret I have to any pods lldap needs in the new setup. Plan B is to start a new DB, migrate all the users, and make them all reset their passwords. Looking for any thoughts or opinions or documentation on how to tackle this?
8 Replies
[I am migrating stuff with backup data, leaving production alone. I have a few canary users and a little test script to ensure consistency.]
If you lose (or change) the secret, it will appear as if all the passwords are wrong
You can "delete" (not mount) the key file, and set a key seed. You'll get some startup errors to confirm that you really want to do this
And you will need to force reset the admin password (there are some options for that)
And then every user needs to reset their password
No need for a "migration", you can use the DB as is
Aye, so it is impossible to go from this keyfile I have to a keystring?
Not without resetting the passwords, no
(well, technically it's invalidating them, not resetting them)
Aye sounds good, probably not a bad practice to rotate, it's been a few years.
Feel free to delete if it's not allowed, but I did a little write up about my migration experience if it's useful at all: https://slothlogistics.wordpress.com/2025/10/08/whales-to-k8s-a-migration-tale-part-1-lldap/
Open to any feedback, or being pummeled with rocks for such a silly workaround.
lkmhaqer
sloth logistics
Whales to k8s A Migration Tale Part 1: lldap
Weβve been playing with kubernetes for a couple of years off and on now at the SlothLogistics Labs. After juggling a couple of hosts and docker-compose files manually, and with tools like lonβ¦
Thanks for writing this article! This looks like a good description of an upgrade/migration of LLDAP, it should be pretty helpful for others π
The only nit that I have is that the key file is supported, just not encouraged
Do you want to post this in #projects for greater visibility?
Can do, happy to reword that section as well, that helps my understanding π