Jump to content

Toolserver:Admin:LDAP

From mediawiki.org

This page was moved from the Toolserver wiki.
Toolserver has been replaced by Toolforge. As such, the instructions here may no longer work, but may still be of historical interest.
Please help by updating examples, links, template links, etc. If a page is still relevant, move it to a normal title and leave a redirect.

We use LDAP for two things:

  • storing Unix accounts for the main cluster
  • storing web accounts for the web properties (e.g. JIRA, MediaWiki)

These are two separate instances.

LDAP quickstart

[edit]

LDAP is a simple hierarchical key-value database. The values are objects with various attributes. One attribute, the naming attribute, is used to look up the object. The naming object is combined with the suffix to create the Distinguished Name (DN). For example, if the naming attribute for an object was uid, the 'uid' attribute was river, and the suffix was ou=people,o=unix,o=toolserver, then the DN would be uid=river,ou=people,o=unix,o=toolserver. This is the unique name for identifying that particular object.

Most objects are created under an Organizational Unit (OU); for example, ou=people,o=unix,o=toolserver is an OU.


Unix accounts

[edit]

LDAP entries for Unix accounts are stored on the HA cluster, using Sun Directory Server Enterprise Edition (docs). DSEE is installed in /opt/SUNWdsee, and the data is in /global/misc/ldap.

If LDAP is offline, the entire cluster will be down. You therefore need to be very careful when doing anything with the LDAP server. If the LDAP server breaks, you have about 5 minutes to fix it before nscd starts expiring its cache.

The canonical name for the Unix LDAP server is ldap.toolserver.org.

Schema

[edit]

The Unix server uses the following OUs:

  • ou=people,o=unix,o=toolserver - Unix accounts, naming attribute = uid
  • ou=group,o=unix,o=toolserver - Unix groups, naming attribute = cn
  • ou=SUDOers,o=unix,o=toolserver - sudo authorisation entries
  • ou=aliases,o=unix,o=toolserver - Mail aliases
  • ou=hosts,o=unix,o=toolserver - Hostname entries (like /etc/hosts)
  • ou=profile,o=unix,o=toolserver - Special objects used for system administration
  • ou=netgroup,o=unix,o=toolserver - NIS netgroups, special groups of hosts and/or users used for access control
  • ou=SolarisProfAttr,o=unix,o=toolserver - Solaris RBAC profiles
  • ou=SolarisExecAttr,o=unix,o=toolserver - Solaris RBAC profiles
  • ou=projects,o=unix,o=toolserver - Solaris projects
  • ou=services,o=unix,o=toolserver - Service entries (like /etc/services)

For custom attributes, our PEN is 33298, making our OID iso.org.dod.internet.private.enterprise.33298 (1.3.6.1.4.33298). This is allocated to the Toolserver as follows:

1.3.6.1.4.33298.1 Wikimedia Foundation
1.3.6.1.4.33298.2 Wikimedia chapters
1.3.6.1.4.33298.2.1 Wikimedia Deutschland
1.3.6.1.4.33298.2.1.1 Wikimedia Toolserver

Custom attributes:

1.3.6.1.4.33298.2.1.1.1 toolserverUser class
1.3.6.1.4.33298.2.1.1.2 tsDefaultLicense attribute

Web accounts

[edit]

Web accounts are stored in the LDAP server on amaranth. Usually, you'd want to edit this using Crowd. However, you can also edit the directory directly if necessary.

Schema

[edit]

The web directory uses these OUs:

  • ou=People,o=web,o=toolserver - accounts, naming attribute = cn
  • ou=group,o=web,o=toolserver - groups, naming attribute = cn
  • ou=profile,o=web,o=toolserver - special objects for administration
  • ou=role,o=web,o=toolserver - Crowd role definitions

Because there are no administrator accounts in the web directory, you will need to authentication as cn=Directory Manager, using the misc services password. Use /opt/dsee/dsrk6/bin/ldapsearch and /opt/dsee/dsrk6/bin/ldapmodify, not the versions in /usr/bin.

Searching and editing the directory

[edit]

The easiest way to edit the directory is with ldapvi. However, you can also use ldapmodify (described below), especially if you need to edit the directory from a script or do bulk modifications.

Searching

[edit]

To search the directory, you need a search string. This is one or more conditions that describe the object you want to find, for example:

  • (objectclass=posixAccount) - find all posixAccount objects
  • (&(objectclass=posixGroup)(memberUid=river)) - find all the posixGroups that river is a member of
  • (&(objectclass=posixAccount)(uid=a*)) - find all user accounts starting with 'a'

You can use any object attribute in a search string. Boolean operators available are &, |, and !. Comparison operators are =, <=, and >=.

Once you have your search string, search using ldapsearch:

% ldapsearch -Duid=rriver,ou=people,o=unix,o=toolserver -h ldap -b o=unix,o=toolserver '(objectClass=posixAccount)'
             ^- Your DN to authenticate                         ^- Base for the search  ^- The search string

Editing

[edit]

To edit the directory, first create an LDIF input file. LDIF looks like this:

dn: uid=rriver,ou=people,o=unix,o=toolserver
changetype: modify
shadowExpire: 12345

That would change the shadowExpire attribute of the requested DNs.

To add a new object:

dn: uid=rriver,ou=people,o=unix,o=toolserver
changetype: add
uid: rriver
uidNumber: 1000
...

Or to delete an object:

dn: uid=rriver,ou=people,o=unix,o=toolserver
changetype: delete

You can include multiple changes in the same file:

dn: uid=rriver,ou=people,o=unix,o=toolserver
changetype: modify
shadowExpire: 12345
-

dn: uid=otheruser,ou=people,o=unix,o=toolserver
changetype: delete
-

Once you have your LDIF file, feed it to ldapmodify:

% ldapmodify -Duid=rriver,ou=people,o=unix,o=toolserver -h ldap -f file.ldif

Category:Admin:Software