Networking/LDAP

From popdata
Jump to: navigation, search

Org Structure

  • dc=popdata,dc=bc,dc=ca
    • ou=groups
    • ou=users
      • ou=phlo
      • ou=chspr
      • ou=help
      • ou=soeh
      • ou=external
    • ou=idmap
    • ou=computers


LDAP commands/hints

  • Complete dump of ldap
ldapsearch -x -W -D  cn=admin,dc=popdata,dc=bc,dc=ca -b dc=popdata,dc=bc,dc=ca > ldap-`date +%Y%m%d`.out
  • change account from an ldif file:
ldapmodify -c -f change.ldif -D cn=admin,dc=popdata,dc=bc,dc=ca -W -x
  • Sample change.ldif file

dn: uid=ambroemeling,ou=external,ou=users,dc=phlo,dc=ubc,dc=ca
changetype: modify
replace: objectClass
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount

dn: uid=gstoddart,ou=external,ou=users,dc=phlo,dc=ubc,dc=ca
changetype: modify
replace: objectClass
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount

  • add a samba account to an ldap account
smbldap-usermod -a jim
  • reset expired account
smbldap-usermod -J -B 0 -e '2030-01-01 12:00:00' kkerluke

Setting up Replication

  • edit slapd.conf on the master and add: (same place as commented example)
replogfile      /var/lib/ldap/replog

replica uri=ldaps://ldaprz.phlo.ubc.ca:636
        binddn="cn=Replicator,dc=phlo,dc=ubc,dc=ca"
        bindmethod=simple
        credentials=gandalf
  • create a replica user with this user.ldif:
dn: cn=Replicator,dc=phlo,dc=ubc,dc=ca
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: Replicator
description: LDAP Replica User
userPassword:: e2NyeXB0fU9KOENIci4uckxXTkU=
  • set the password for the replicator user
ldappasswd -x -W -D  cn=admin,dc=phlo,dc=ubc,dc=ca -b dc=phlo,dc=ubc,dc=ca cn=Replicator,dc=phlo,dc=ubc,dc=ca
  • stop the master
/etc/init.d/slapd stop
  • copy all the files
cd /var/lib
tar cvf ldap.tar ldap
  • start the master again
/etc/init.d/slapd start
  • copy the ldap.tar file to the replica
  • stop the replica
/etc/init.d/slapd stop
  • change the replica slapd.conf add:
updatedn        "cn=Replicator,dc=phlo,dc=ubc,dc=ca"
updateref       ldaps://ldap.phlo.ubc.ca:389
  • the rest of the config file should be the same as the master, except no replica section added above
  • copy the files in from the master in the correct spot
cd /var/lib
mv ldap ldap.bak
tar xvf ldap.tar
  • start the replica
/etc/init.d/slapd start
  • watch the log on the replica and make a change to an entry on the master
tail -f /var/log/debug
...
Oct 26 16:03:16 mackenzie slapd[31760]: conn=7 fd=14 ACCEPT from IP=10.80.20.80:59438 (IP=0.0.0.0:636) 
Oct 26 16:03:16 mackenzie slapd[31760]: conn=7 fd=14 TLS established tls_ssf=256 ssf=256 
Oct 26 16:03:16 mackenzie slapd[31760]: conn=7 op=0 BIND dn="cn=Replicator,dc=phlo,dc=ubc,dc=ca" method=128 
Oct 26 16:03:16 mackenzie slapd[31760]: conn=7 op=0 BIND dn="cn=Replicator,dc=phlo,dc=ubc,dc=ca" mech=SIMPLE ssf=0 
Oct 26 16:03:16 mackenzie slapd[31760]: conn=7 op=0 RESULT tag=97 err=0 text= 
Oct 26 16:03:16 mackenzie slapd[31760]: conn=7 op=1 MOD dn="uid=jmintha,ou=phlo,ou=Users,dc=phlo,dc=ubc,dc=ca" 
Oct 26 16:03:16 mackenzie slapd[31760]: conn=7 op=1 MOD attr=displayName entryCSN modifiersName modifyTimestamp 
Oct 26 16:03:16 mackenzie slapd[31760]: conn=7 op=1 RESULT tag=103 err=0 text=