Clientless, network-only backup and restore of directory services on Linux: Microsoft Active Directory (Server 2012 R2 → 2025, Samba AD DC), OpenLDAP (slapd 2.4/2.5/2.6), 389 Directory Server / Red Hat DS / FreeIPA. Status: v0.1.0 DRAFT / pre-release.
Companion document to the PodHeitor AD/LDAP plugin page.
1. The problem: AD/LDAP backup forces a Windows agent or LDIF hacks
Traditional Active Directory backup forces one of:
- Agent on a Windows Domain Controller (Bacula Enterprise, Veeam, Commvault) — requires privileged install on a production DC, broad surface vulnerability.
- Scheduled
ntdsutil ifm,ntds.ditsnapshot, and filesystem backup — operationally fragile, doesn’t capture SYSVOL/GPO synchronously, no PITR. - For OpenLDAP / 389 DS, cron
slapcat/db2ldifscripts — produce a giant LDIF daily, no real incrementals, no replication.
PodHeitor AD/LDAP is clientless network-only: the cdylib runs on the FD’s Linux host, connects to the directory over LDAP/LDAPS, and captures both schema and data via DirSync (AD) or RFC 4533 syncrepl (OpenLDAP/389 DS) — installing nothing on the DC.
2. Architectural model
Pure-Rust cdylib metaplugin loaded directly by bacula-fd, talking to its in-process backup/restore engine via PTCOMM Path-A. No C/C++ shim, no sidecar process. This is an architectural exception to the PodHeitor cdylib + backend pattern — LDAP is light enough to run entirely in-process, and the complexity reduction is worth it.
Artefact: target/release/libpodheitor_adldap_fd.so, installed at /opt/bacula/plugins/podheitor-adldap-fd.so.
3. Backup modes (v0.1.0)
| Mode | Mechanism |
|---|---|
ldap |
OpenLDAP / 389 DS / FreeIPA via RFC 4533 syncrepl |
ad |
Microsoft AD via DirSync (LDAP control 1.2.840.113556.1.4.841) |
replicate |
Live directory-to-directory replication (cross-vendor) |
cdp |
Continuous Data Protection with bounded RPO |
hybrid_sysvol |
SYSVOL/GPO included via libsmbclient-rs — synchronized capture of directory + GPO |
4. Restore modes
| Mode | Granularity |
|---|---|
object |
Single object (user, computer, group) |
subtree |
Full LDAP subtree |
attribute |
Single attribute on a single object |
authoritative |
Authoritative restore (force replication out) |
dry_run |
Preview without applying |
diff |
Diff between backed-up state and live state |
5. Technical differentiators
- True incremental via RFC 4533 syncrepl (LDAP) + DirSync (AD) — not brute-force diff-of-dump.
- SYSVOL/GPO included in
hybrid_sysvolmode via libsmbclient-rs — directory state + GPO state captured in a single job. - Cross-vendor replication live directory-to-directory — useful for AD → OpenLDAP migration or FreeIPA → 389 DS DR.
- CDP with bounded RPO — configurable loss window.
- Encryption at-rest — AES-256-GCM or ChaCha20-Poly1305 selectable per job.
- Brazilian Unicode hardened — pt-BR Smoke Gate (NFC/NFD) in CI; accented names don’t corrupt across the backup → restore chain.
- JSON-Lines logging + Prometheus textfile metrics — observability out-of-the-box.
6. Supported platforms
- Microsoft Active Directory: Server 2012 R2 → 2025, Samba AD DC
- OpenLDAP: slapd 2.4 / 2.5 / 2.6
- 389 Directory Server / Red Hat DS / FreeIPA
- (Stretch) ApacheDS, OpenDJ — best-effort via generic
ldapmode
7. License posture
Proprietary — Copyright (c) 2026 Heitor Faria, all rights reserved. It does not statically link any Bacula AGPLv3 source. The cdylib is pure Rust with binding via the in-house bacula-fd-abi crate and independent extern "C".
Want to follow the alpha?
Free 30-day trial for qualified AD/LDAP deployments after v0.1.0 release. We guarantee at least 50% off vs Bacula Enterprise, Veeam, or Commvault, with more features — including cross-vendor replication and hybrid_sysvol that no competitor delivers out-of-the-box.
Heitor Faria — Founder, PodHeitor International
✉ [email protected]
☎ +1 (789) 726-1749 · +55 (61) 98268-4220 (WhatsApp)
🔗 PodHeitor AD/LDAP plugin page
Disponível em: 
Português (Portuguese (Brazil))
English
Español (Spanish)
