User:BryanDavis/LDAP

From Wikitech

Notes on using LDAP.

Easy CLI queries

I have a shell alias for running ldapsearch which tells it to use paginated queries with a large page size, no prompting before fetching the next page, and no line wrapping: 

$ alias ldap='ldapsearch -xLLL -P 3 -E pr=5000/noprompt -o ldif-wrap=no -b"dc=wikimedia,dc=org"'
$ ldap uid=bd808 cn
dn: uid=bd808,ou=people,dc=wikimedia,dc=org
cn: BryanDavis

Decoding base64 entries

LDAP returns non-ascii values as base64 encoded strings. Developer accounts with unicode characters in their cn (wikitech username) values are a common example of this in our directory tree. Ldapsearch displays base64 values with two colons after the attribute name. I have a shell alias that ldapsearch results can be piped through which looks for these double colons and decodes the string. 

$ alias un64='awk '\''BEGIN{FS=":: ";c="base64 -d"}{if(/\w+:: /) {print $2 |& c; close(c,"to"); c |& getline $2; close(c); printf("%s:: \"%s\"\n", $1, $2); next} print $0 }'\'''
$ ldap uid=smccandlish displayName
dn: uid=smccandlish,ou=people,dc=wikimedia,dc=org
displayName:: 4oCUIDxmb250IGZhY2U9IlRyZWJ1Y2hldCBNUyI+JycnW1tVc2VyOlNNY0NhbmRsaXNofFNNY0NhbmRsaXNoXV0nJycgJm5ic3A7PHNwYW4gc3R5bGU9IndoaXRlLXNwYWNlOm5vd3JhcDsiPltbVXNlciB0YWxrOlNNY0NhbmRsaXNofFRhbGvih5JdXSDJljxzdXA+PGJpZz7iip08L2JpZz48L3N1cD7XmzxzdXA+4oqZPC9zdXA+w74gPC9zcGFuPiA8c21hbGw+W1tTcGVjaWFsOkNvbnRyaWJ1dGlvbnMvU01jQ2FuZGxpc2h8Q29udHJpYi5dXTwvc21hbGw+PC9mb250PiA=
$ ldap uid=smccandlish displayName | un64
dn: uid=smccandlish,ou=people,dc=wikimedia,dc=org
displayName:: "— <font face="Trebuchet MS">'''[[User:SMcCandlish|SMcCandlish]]''' &nbsp;<span style="white-space:nowrap;">[[User talk:SMcCandlish|Talk⇒]] ɖ<sup><big>⊝</big></sup>כ<sup>⊙</sup>þ </span> <small>[[Special:Contributions/SMcCandlish|Contrib.]]</small></font> "

Manual changes

ldap-modify.sh
#!/usr/bin/env bash
set -euxo pipefail
LDIF=${1:?Expected LDIF file to apply}

ldapmodify -v \
    -H 'ldap://ldap-rw.eqiad.wikimedia.org:389' \
    -D 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' \
    -y .ldap-password \
    -f $LDIF

$ ldap-modify.sh $LDIF_FILE

One way to find the password for uid=novaadmin is in the /etc/mediawiki/WikitechPrivateSettings.php file on a cloudweb server.

Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=User:BryanDavis/LDAP&oldid=2138972"