Standalone-slapd
Setup an openldap instance which mimics what is being used in production in cloud VPS
Installation
- apt-get install slapd schema2ldif
- sudo dpkg-reconfigure -plow slapd (select MDB as the backend) and keep record of the cn=admin password
Enabling the memberof overlay
This is optional, but for CAS we need the memberOf attribute. The overlay is included in OpenLDAP as shipped in Debian, but we need to enable and configure it:
First we need the following LDIF:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad: memberOf
Then we need to add it to the internal cn=config in which slapd keeps track of config/schemas:
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f $LDIFFILE
The following LDIF configures the memberof overlay:
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
olcOverlay: memberof
It needs to be added with:
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f $LDIFFILE
After that change is enabled, further group changes are amended with the memberOf attribute, e.g.
ldapsearch -x -b dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud -h localhost uid=foouser memberOf
Add default OUs
LDIF to create the users OU:
dn: ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
objectclass: organizationalunit
ou: users
dn: ou=groups,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
objectclass: organizationalunit
ou: groups
Add it with:
$ sudo ldapadd -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -y /root/ldap -H ldapi:/// -f $LDIFFILE
Add the custom schemas used in production:
Get wmf-user.schema and openssh-ldap.schema from puppet.git. They need to be converted to the cn=config schema and imported:
schema2ldif wmf-user.schema > wmf-user.ldif
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f wmf-user.ldif
Create a user
First we need to generate a password:
sudo slappasswd -h {SSHA} -s test123
This will return something like {SSHA}C3Q+3aZE7FgKoMa/b3CTTrNBxgSG73pL , use it as userPassword in the LDIF to add a user:
dn:cn=foouser,ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
objectclass: top
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
objectClass: ldapPublicKey
cn: foouser
sn: foouser
uid: foouser
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/foouser
mail: foouser@wikimedia.org
sshPublicKey:AAAAC3$SSHKEY
userPassword: {SSHA}C3Q+3aZE7FgKoMa/b3CTTrNBxgSG73pL
Finally add it using:
$ sudo ldapadd -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -y /root/ldap -H ldapi:/// -f ou.txt
Delete a user
$ sudo ldapdelete -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -y /root/ldap -H ldapi:/// "cn=foo,ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud"
Modifying an attribute
Create an LDIF like this:
dn: cn=proxyagent,ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
changetype: modify
replace: uid
uid: proxyagent
Then run:
$ sudo ldapmodify -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -y /root/ldap -H ldapi:/// -f change.ldif
Adding a group
Example LDIF:
dn:cn=nda,ou=groups,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
objectClass: groupOfNames
objectClass: top
cn: wmf
member: cn=foo,ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
member: cn=bar,ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
Then add it with
$ sudo ldapadd -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -y /root/ldap -H ldapi:/// -f $LDIFFILE
Searching in LDAP
ldapsearch by default picks up the settings for the Cloud VPS LDAP servers via ldap.conf, instead you need to pass it explicitly:
$ ldapsearch -x -b dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud -h localhost uid=foouser''
You can also simply dump the entire directory using "sudo slapcat"