From Wikitech
Jump to navigation Jump to search

Setup an openldap instance which mimics what is being used in production in cloud VPS


  • apt-get install slapd schema2ldif
  • sudo dpkg-reconfigure -plow slapd (select MDB as the backend) and keep record of the cn=admin password

Enabling the memberof overlay

This is optional, but for CAS we need the memberOf attribute. The overlay is included in OpenLDAP as shipped in Debian, but we need to enable and configure it:

First we need the following LDIF:

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad: memberOf

Then we need to add it to the internal cn=config in which slapd keeps track of config/schemas:

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f $LDIFFILE

The following LDIF configures the memberof overlay:

dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
olcOverlay: memberof

It needs to be added with:

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f $LDIFFILE

After that change is enabled, further group changes are amended with the memberOf attribute, e.g.

ldapsearch -x -b dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud -h localhost uid=foouser memberOf

Add default OUs

LDIF to create the users OU:

dn: ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
objectclass: organizationalunit
ou: users

dn: ou=groups,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
objectclass: organizationalunit
ou: groups

Add it with:

$ sudo ldapadd -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -y /root/ldap -H ldapi:/// -f $LDIFFILE

Add the custom schemas used in production:

Get wmf-user.schema and openssh-ldap.schema from puppet.git. They need to be converted to the cn=config schema and imported:

schema2ldif wmf-user.schema  > wmf-user.ldif
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f wmf-user.ldif

Create a user

First we need to generate a password:

sudo slappasswd -h {SSHA} -s test123

This will return something like {SSHA}C3Q+3aZE7FgKoMa/b3CTTrNBxgSG73pL , use it as userPassword in the LDIF to add a user:

objectclass: top
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
objectClass: ldapPublicKey
cn: foouser
sn: foouser
uid: foouser
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/foouser
userPassword: {SSHA}C3Q+3aZE7FgKoMa/b3CTTrNBxgSG73pL

Finally add it using:

$ sudo ldapadd -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -y /root/ldap -H ldapi:/// -f ou.txt

Delete a user

$ sudo ldapdelete -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -y /root/ldap -H ldapi:/// "cn=foo,ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud"

Modifying an attribute

Create an LDIF like this:

dn: cn=proxyagent,ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
changetype: modify
replace: uid
uid: proxyagent

Then run:

$ sudo ldapmodify -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -y /root/ldap -H ldapi:/// -f change.ldif

Adding a group

Example LDIF:

objectClass: groupOfNames
objectClass: top
cn: wmf
member: cn=foo,ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
member: cn=bar,ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud

Then add it with

$ sudo ldapadd -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -y /root/ldap -H ldapi:/// -f $LDIFFILE

Searching in LDAP

ldapsearch by default picks up the settings for the Cloud VPS LDAP servers via ldap.conf, instead you need to pass it explicitly:

$ ldapsearch -x -b dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud -h localhost uid=foouser''

You can also simply dump the entire directory using "sudo slapcat"