Services/LDAP

From popdata
Jump to: navigation, search

Back to Services

LDAP Servers

Champlain is primary

Running slapd (openldap)

  • /etc/init.d/slapd start
  • /etc/default/slapd: SLAPD_USER="openldap" SLAPD_GROUP="openldap"
  • /usr/sbin/slapd -h ldap:/// ldapi:/// ldaps:/// -g openldap -u openldap -f /etc/ldap/slapd.conf

MacKenzie (RedZone) replicates Champlain

Cook (YellowZone) replicates Champlain (soon 2012-02)

Changes by Denis 2012-02-22

  • Copied from MacKenzie /etc/ldap/* via ~dlaplante/
    • 41156 Feb 21 10:04 mac-etc-ldap.tgz
    • 9590506 Feb 21 10:04 mac-var-lib-popdata-ldap.tgz
  • Change /etc/hosts - replace hudson with cook (!?)
  • Change /etc/ldap/ldap.conf URI
  • apt-get install slapd
    • Asks: Please enter the password for the admin entry in your LDAP directory.
    • Asks to overwrite files in /etc/ldap/schema/ (yes)
    • Error: mkdir: cannot create directory `/etc/ldap/slapd.conf': File exists
    • Added user openldap and group openldap (different numbers than champlain)
    • Did not add rc*.d links (?? use insserv ?? no, use update-rc.d)
  • Changed in slapd.conf: for syncrepl "rid=124" (MacKenzie uses 123); keep same provider=ldaps://ldap.popdata.bc.ca; type=refreshOnly; interval=00:00:01:00 (1m); searchbase="dc=popdata,dc=bc,dc=ca"; binddn="cn=sync,dc=popdata,dc=bc,dc=ca"; credentials=...
  • What about: TLSCertificateFile /etc/ldap/ldaprz-cert.pem
  • Syslog to local4. See slapd.conf(5). Default: "loglevel stats "connections, LDAP operations, results"
    • temporarily added to slapd.conf "loglevel stats conns sync"; get thousands of lines in syslog, and files in /var/lib/popdata-ldap/
  • Added "slapd: ALL" to /etc/hosts.allow to match Champlain
  • Jim changed "https" to "http" in "provider=", else got error

Test: list group sre-users on Cook, logging in as dlaplante, demand TLS (-ZZ).

  • H=cook; U=dlaplante; LDAP_HOST=${H}.popdata.bc.ca ; LDAP_BASE=dc=popdata,dc=bc,dc=ca LDAP_LOGIN="uid=${U},ou=popdata,ou=users,dc=popdata,dc=bc,dc=ca"
  • G=admins; ldapsearch -b ou=groups,$LDAP_BASE -h $LDAP_HOST -D $LDAP_LOGIN -W -ZZ -x cn="$G" memberUID
# admins, groups, popdata.bc.ca
dn: cn=admins,ou=groups,dc=popdata,dc=bc,dc=ca
memberUid: jim
[...]
memberUid: dlaplante

LDAP Configuration

Champlain:/etc/ldap/slapd.conf

  • Update of passwords on AD server Gilbert via LDAP login to Cisco VPN server access.popdata.bc.ca in slapd.conf :
    • plugin postoperation /etc/ldap/libsync2ad.so sync_postop_init
    • pluginlog /var/log/sync2ad.log
      • 2013-04-29 missing sync2ad.log
    • libsync2ad.so customized to run /etc/ldap/syncad.py , which loads LDAPconn.py (log: /var/log/sync2ad-py.log also missing) ?
    • See also /var/log/slapi-errors
      • EX: 04/29/13 05:20:01 plugin_pblock_new: Registered plugin sync2ad-plugin 1.1 [JTM] (Sync to Active Directory plugin)

LDAP Password lockout

Google: openldap login lockout

LDAP Client

nslcd for authentication &c...

nlscd is used by pam_ldap and glibc components via "ldap" in nsswitch.conf /etc/nslcd.conf

  • uri ldap://10.80.20.80/
  • # SSL options
    • #ssl off
    • #tls_reqcert never
  • timepout options: see man nslcd.conf
    • *timelimit; reconnect_*

TODO:

  • add both cook and champlain as redundant servers

ldap.conf for ???

/etc/ldap/ldap.conf