You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org

Standalone-slapd

From Wikitech-static
Revision as of 14:33, 10 February 2021 by imported>Muehlenhoff (Initial docs for a standalone slapd)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Setup an openldap instance which mimics what is being used in production in cloud VPS

Installation

  • apt-get install slapd schema2ldif
  • sudo dpkg-reconfigure -plow slapd (select MDB as the backend) and keep record of the cn=admin password

Add default OUs

LDIF to create the users OU:

dn: ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
objectclass: organizationalunit
ou: users

dn: ou=groups,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
objectclass: organizationalunit
ou: groups

Add it with:

ldapadd -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -W -H ldapi:/// -f $LDIFFILE

Add the custom schemas used in production:

Get wmf-user.schema and openssh-ldap.schema from puppet.git. They need to be converted to the cn=config schema and imported:

schema2ldif wmf-user.schema  > wmf-user.ldif
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f wmf-user.ldif

Create a user

First we need to generate a password:

sudo slappasswd -h {SSHA} -s test123

This will return something like {SSHA}C3Q+3aZE7FgKoMa/b3CTTrNBxgSG73pL , use it as userPassword in the LDIF to add a user:

dn:cn=foouser,ou=users,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
objectclass: top
objectclass: account
objectclass: posixAccount
objectclass: shadowAccount
cn: foouser
uid: foouser
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/foouser
userPassword: {SSHA}C3Q+3aZE7FgKoMa/b3CTTrNBxgSG73pL


Finally add it using:

ldapadd -D "cn=admin,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud" -W -H ldapi:/// -f ou.txt

Searching in LDAP

ldapsearch by default picks up the settings for the Cloud VPS LDAP servers via ldap.conf, instead you need to pass it explicitly:

ldapsearch -x -b dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud -h localhost uid=foouser

You can also simply dump the entire directory using "sudo slapcat"