Standalone-slapd

From Wikitech

Setup an openldap instance which mimics what is being used in production in cloud VPS

Installation

  • apt-get install slapd schema2ldif
  • sudo dpkg-reconfigure -plow slapd (select MDB as the backend) and keep record of the cn=admin password

Enabling the memberof overlay

This is optional, but for CAS we need the memberOf attribute. The overlay is included in OpenLDAP as shipped in Debian, but we need to enable and configure it:

First we need the following LDIF:

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad: memberOf

Then we need to add it to the internal cn=config in which slapd keeps track of config/schemas:

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f $LDIFFILE


The following LDIF configures the memberof overlay:

dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
olcOverlay: memberof

It needs to be added with: 

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f $LDIFFILE


After that change is enabled, further group changes are amended with the memberOf attribute, e.g.

ldapsearch -x -b dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud -h localhost uid=foouser memberOf

Add default OUs

LDIF to create the users OU:

dn: ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
objectclass: organizationalunit
ou: users

dn: ou=groups,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
objectclass: organizationalunit
ou: groups

Add it with: 

$ sudo ldapadd -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -y /root/ldap -H ldapi:/// -f $LDIFFILE

Add the custom schemas used in production:

Get wmf-user.schema and openssh-ldap.schema from puppet.git. They need to be converted to the cn=config schema and imported:

schema2ldif wmf-user.schema  > wmf-user.ldif
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f wmf-user.ldif

Create a user

First we need to generate a password:

sudo slappasswd -h {SSHA} -s test123

This will return something like {SSHA}C3Q+3aZE7FgKoMa/b3CTTrNBxgSG73pL , use it as userPassword in the LDIF to add a user: 

dn:cn=foouser,ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
objectclass: top
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
objectClass: ldapPublicKey
cn: foouser
sn: foouser
uid: foouser
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/foouser
mail: foouser@wikimedia.org
sshPublicKey:AAAAC3$SSHKEY
userPassword: {SSHA}C3Q+3aZE7FgKoMa/b3CTTrNBxgSG73pL


Finally add it using: 

$ sudo ldapadd -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -y /root/ldap -H ldapi:/// -f ou.txt

Delete a user

$ sudo ldapdelete -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -y /root/ldap -H ldapi:/// "cn=foo,ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud"

Modifying an attribute

Create an LDIF like this: 

dn: cn=proxyagent,ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
changetype: modify
replace: uid
uid: proxyagent

Then run: 

$ sudo ldapmodify -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -y /root/ldap -H ldapi:/// -f change.ldif

Adding a group

Example LDIF:

dn:cn=nda,ou=groups,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
objectClass: groupOfNames
objectClass: top
cn: wmf
member: cn=foo,ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
member: cn=bar,ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud


Then add it with 

$ sudo ldapadd -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -y /root/ldap -H ldapi:/// -f $LDIFFILE

Searching in LDAP

ldapsearch by default picks up the settings for the Cloud VPS LDAP servers via ldap.conf, instead you need to pass it explicitly: 

$ ldapsearch -x -b dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud -h localhost uid=foouser''

You can also simply dump the entire directory using "sudo slapcat"

Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=Standalone-slapd&oldid=1921283"