Toolserver:Admin:LDAP

We use LDAP for two things: These are two separate instances.
 * storing Unix accounts for the main cluster
 * storing web accounts for the web properties (e.g. JIRA, MediaWiki)

LDAP quickstart
LDAP is a simple hierarchical key-value database. The values are objects with various attributes. One attribute, the naming attribute, is used to look up the object. The naming object is combined with the suffix to create the Distinguished Name (DN). For example, if the naming attribute for an object was uid, the 'uid' attribute was river, and the suffix was ou=people,o=unix,o=toolserver, then the DN would be uid=river,ou=people,o=unix,o=toolserver. This is the unique name for identifying that particular object.

Most objects are created under an Organizational Unit (OU); for example, ou=people,o=unix,o=toolserver is an OU.

Unix accounts
LDAP entries for Unix accounts are stored on the HA cluster, using Sun Directory Server Enterprise Edition (docs). DSEE is installed in /opt/SUNWdsee, and the data is in /global/misc/ldap.

If LDAP is offline, the entire cluster will be down. You therefore need to be very careful when doing anything with the LDAP server. If the LDAP server breaks, you have about 5 minutes to fix it before nscd starts expiring its cache.

The canonical name for the Unix LDAP server is ldap.toolserver.org</tt>.

Schema
The Unix server uses the following OUs:


 * ou=people,o=unix,o=toolserver</tt> - Unix accounts, naming attribute = uid</tt>
 * ou=group,o=unix,o=toolserver</tt> - Unix groups, naming attribute = cn</tt>
 * ou=SUDOers,o=unix,o=toolserver</tt> - sudo authorisation entries
 * ou=aliases,o=unix,o=toolserver</tt> - Mail aliases
 * ou=hosts,o=unix,o=toolserver</tt> - Hostname entries (like /etc/hosts</tt>)
 * ou=profile,o=unix,o=toolserver</tt> - Special objects used for system administration
 * ou=netgroup,o=unix,o=toolserver</tt> - NIS netgroups, special groups of hosts and/or users used for access control
 * ou=SolarisProfAttr,o=unix,o=toolserver</tt> - Solaris RBAC profiles
 * ou=SolarisExecAttr,o=unix,o=toolserver</tt> - Solaris RBAC profiles
 * ou=projects,o=unix,o=toolserver</tt> - Solaris projects
 * ou=services,o=unix,o=toolserver</tt> - Service entries (like /etc/services</tt>)

For custom attributes, our PEN is 33298, making our OID iso.org.dod.internet.private.enterprise.33298 (1.3.6.1.4.33298). This is allocated to the Toolserver as follows:

1.3.6.1.4.33298.1 Wikimedia Foundation 1.3.6.1.4.33298.2 Wikimedia chapters 1.3.6.1.4.33298.2.1 Wikimedia Deutschland 1.3.6.1.4.33298.2.1.1 Wikimedia Toolserver

Currently we don't have any custom attributes that actually use this.

Web accounts
Web accounts are stored in the LDAP server on amaranth. Usually, you'd want to edit this using Crowd. However, you can also edit the directory directly if necessary.

Schema
The web directory uses these OUs:


 * <tt>ou=People,o=web,o=toolserver</tt> - accounts, naming attribute = <tt>cn</tt>
 * <tt>ou=group,o=web,o=toolserver</tt> - groups, naming attribute = <tt>cn</tt>
 * <tt>ou=profile,o=web,o=toolserver</tt> - special objects for administration
 * <tt>ou=role,o=web,o=toolserver</tt> - Crowd role definitions

Because there are no administrator accounts in the web directory, you will need to authentication as <tt>cn=Directory Manager</tt>, using the misc services password. Use <tt>/opt/dsee/dsrk6/bin/ldapsearch</tt> and <tt>/opt/dsee/dsrk6/bin/ldapmodify</tt>, not the versions in <tt>/usr/bin</tt>.

Searching and editing the directory
The easiest way to edit the directory is with ldapvi. However, you can also use <tt>ldapmodify</tt> (described below), especially if you need to edit the directory from a script or do bulk modifications.

Searching
To search the directory, you need a search string. This is one or more conditions that describe the object you want to find, for example: You can use any object attribute in a search string. Boolean operators available are &, |, and !. Comparison operators are =, <=, and >=.
 * <tt>(objectclass=posixAccount)</tt> - find all <tt>posixAccount</tt> objects
 * <tt>(&(objectclass=posixGroup)(memberUid=river))</tt> - find all the <tt>posixGroup</tt>s that river is a member of
 * <tt>(&(objectclass=posixAccount)(uid=a*))</tt> - find all user accounts starting with 'a'

Once you have your search string, search using <tt>ldapsearch</tt>: % ldapsearch -Duid=rriver,ou=people,o=unix,o=toolserver -h ldap -b o=unix,o=toolserver '(objectClass=posixAccount)' ^- Your DN to authenticate                        ^- Base for the search  ^- The search string

Editing
To edit the directory, first create an LDIF input file. LDIF looks like this: dn: uid=rriver,ou=people,o=unix,o=toolserver changetype: modify shadowExpire: 12345 That would change the <tt>shadowExpire</tt> attribute of the requested DNs.

To add a new object: dn: uid=rriver,ou=people,o=unix,o=toolserver changetype: add uid: rriver uidNumber: 1000 ...

Or to delete an object: dn: uid=rriver,ou=people,o=unix,o=toolserver changetype: delete

You can include multiple changes in the same file: dn: uid=rriver,ou=people,o=unix,o=toolserver changetype: modify shadowExpire: 12345 - dn: uid=otheruser,ou=people,o=unix,o=toolserver changetype: delete - Once you have your LDIF file, feed it to <tt>ldapmodify</tt>:

% ldapmodify -Duid=rriver,ou=people,o=unix,o=toolserver -h ldap -f file.ldif