Toolserver:Admin:LDAP
This page was moved from the Toolserver wiki.
Toolserver has been replaced by Toolforge. As such, the instructions here may no longer work, but may still be of historical interest.
Please help by updating examples, links, template links, etc. If a page is still relevant, move it to a normal title and leave a redirect.
We use LDAP for two things:
- storing Unix accounts for the main cluster
- storing web accounts for the web properties (e.g. JIRA, MediaWiki)
These are two separate instances.
LDAP quickstart
[edit]LDAP is a simple hierarchical key-value database. The values are objects with various attributes. One attribute, the naming attribute, is used to look up the object. The naming object is combined with the suffix to create the Distinguished Name (DN). For example, if the naming attribute for an object was uid
, the 'uid' attribute was river
, and the suffix was ou=people,o=unix,o=toolserver
, then the DN would be uid=river,ou=people,o=unix,o=toolserver
. This is the unique name for identifying that particular object.
Most objects are created under an Organizational Unit (OU); for example, ou=people,o=unix,o=toolserver
is an OU.
Unix accounts
[edit]LDAP entries for Unix accounts are stored on the HA cluster, using Sun Directory Server Enterprise Edition (docs). DSEE is installed in /opt/SUNWdsee
, and the data is in /global/misc/ldap
.
If LDAP is offline, the entire cluster will be down. You therefore need to be very careful when doing anything with the LDAP server. If the LDAP server breaks, you have about 5 minutes to fix it before nscd
starts expiring its cache.
The canonical name for the Unix LDAP server is ldap.toolserver.org
.
Schema
[edit]The Unix server uses the following OUs:
ou=people,o=unix,o=toolserver
- Unix accounts, naming attribute =uid
ou=group,o=unix,o=toolserver
- Unix groups, naming attribute =cn
ou=SUDOers,o=unix,o=toolserver
- sudo authorisation entriesou=aliases,o=unix,o=toolserver
- Mail aliasesou=hosts,o=unix,o=toolserver
- Hostname entries (like/etc/hosts
)ou=profile,o=unix,o=toolserver
- Special objects used for system administrationou=netgroup,o=unix,o=toolserver
- NIS netgroups, special groups of hosts and/or users used for access controlou=SolarisProfAttr,o=unix,o=toolserver
- Solaris RBAC profilesou=SolarisExecAttr,o=unix,o=toolserver
- Solaris RBAC profilesou=projects,o=unix,o=toolserver
- Solaris projectsou=services,o=unix,o=toolserver
- Service entries (like/etc/services
)
For custom attributes, our PEN is 33298, making our OID iso.org.dod.internet.private.enterprise.33298 (1.3.6.1.4.33298). This is allocated to the Toolserver as follows:
1.3.6.1.4.33298.1 Wikimedia Foundation 1.3.6.1.4.33298.2 Wikimedia chapters 1.3.6.1.4.33298.2.1 Wikimedia Deutschland 1.3.6.1.4.33298.2.1.1 Wikimedia Toolserver
Custom attributes:
1.3.6.1.4.33298.2.1.1.1 toolserverUser class 1.3.6.1.4.33298.2.1.1.2 tsDefaultLicense attribute
Web accounts
[edit]Web accounts are stored in the LDAP server on amaranth. Usually, you'd want to edit this using Crowd. However, you can also edit the directory directly if necessary.
Schema
[edit]The web directory uses these OUs:
ou=People,o=web,o=toolserver
- accounts, naming attribute =cn
ou=group,o=web,o=toolserver
- groups, naming attribute =cn
ou=profile,o=web,o=toolserver
- special objects for administrationou=role,o=web,o=toolserver
- Crowd role definitions
Because there are no administrator accounts in the web directory, you will need to authentication as cn=Directory Manager
, using the misc services password. Use /opt/dsee/dsrk6/bin/ldapsearch
and /opt/dsee/dsrk6/bin/ldapmodify
, not the versions in /usr/bin
.
Searching and editing the directory
[edit]The easiest way to edit the directory is with ldapvi. However, you can also use ldapmodify
(described below), especially if you need to edit the directory from a script or do bulk modifications.
Searching
[edit]To search the directory, you need a search string. This is one or more conditions that describe the object you want to find, for example:
(objectclass=posixAccount)
- find allposixAccount
objects(&(objectclass=posixGroup)(memberUid=river))
- find all theposixGroup
s that river is a member of(&(objectclass=posixAccount)(uid=a*))
- find all user accounts starting with 'a'
You can use any object attribute in a search string. Boolean operators available are &, |, and !. Comparison operators are =, <=, and >=.
Once you have your search string, search using ldapsearch
:
% ldapsearch -Duid=rriver,ou=people,o=unix,o=toolserver -h ldap -b o=unix,o=toolserver '(objectClass=posixAccount)' ^- Your DN to authenticate ^- Base for the search ^- The search string
Editing
[edit]To edit the directory, first create an LDIF input file. LDIF looks like this:
dn: uid=rriver,ou=people,o=unix,o=toolserver changetype: modify shadowExpire: 12345
That would change the shadowExpire
attribute of the requested DNs.
To add a new object:
dn: uid=rriver,ou=people,o=unix,o=toolserver changetype: add uid: rriver uidNumber: 1000 ...
Or to delete an object:
dn: uid=rriver,ou=people,o=unix,o=toolserver changetype: delete
You can include multiple changes in the same file:
dn: uid=rriver,ou=people,o=unix,o=toolserver changetype: modify shadowExpire: 12345 - dn: uid=otheruser,ou=people,o=unix,o=toolserver changetype: delete -
Once you have your LDIF file, feed it to ldapmodify
:
% ldapmodify -Duid=rriver,ou=people,o=unix,o=toolserver -h ldap -f file.ldif