Skip to content

Commit

Permalink
Local dev for OpenLDAP and more
Browse files Browse the repository at this point in the history
  • Loading branch information
@henrist
henrist committed Mar 27, 2024
1 parent 827bf70 commit 9051484
Show file tree
Hide file tree
Showing 5 changed files with 217 additions and 1 deletion.
2 changes: 2 additions & 0 deletions services/openldap/.gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
/backups/
/data/
132 changes: 131 additions & 1 deletion services/openldap/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,134 @@
# openldap

For more details about our LDAP setup, see
For mer informasjon om LDAP-oppsettet se
https://foreningenbs.no/confluence/display/FBS/LDAP

For enkle endringer i LDAP bruk https://foreningenbs.no/tools/phpldapadmin/
([passord](https://foreningenbs.no/confluence/display/IT/LDAP+adminpass))

## Teste OpenLDAP lokalt

```bash
./load-to-dev.sh consumer
docker-compose up
docker-compose exec openldap bash
ldapsearch -Y EXTERNAL -Q -H ldapi:/// -LLL -b ou=Users,dc=foreningenbs,dc=no name
```

## Backup ved endringer

Du kan laste ned backup av LDAP-serverene ved å kjøre:

```bash
./full-backup.sh
```

## Config backup

I mappen `config-backup` er det snapshot av hvordan config-filene
har sett ut. De kan oppdateres ved å kjøre:

```bash
cd config-backup
./update-backup.sh
```

Pass på at filene blir kryptert (kjør `git-crypt status .`) og commit endringen.

## Servere og databaser

Vi har to servere: `ldap-master` (provider) og `ldap-slave` (consumer).

`ldap-master` har tre databaser: `config`, `data` og `accesslog` (for replikering).

`ldap-slave` har to databaser: `config` og `data`.

## Koble til LDAP-server

Ved å gå inn i Docker-instansen kan man koble til uten passord:

```bash
ssh [email protected]
docker exec -it ldap-slave bash
ldapsearch -Y EXTERNAL -Q -H ldapi:/// -LLL -b cn=config dn
```

(`-Y EXTERNAL -Q -H ldapi:///` er trikset her.)

Men man kan også bruke
[admin-passordet](https://foreningenbs.no/confluence/display/IT/LDAP+adminpass)
for enten `cn=admin,dc=foreningenbs,dc=no` (data)
eller `cn=admin,cn=config` (config):

```bash
ldapsearch -x -W -D cn=admin,dc=foreningenbs,dc=no -H ldaps://ldap-master.zt.foreningenbs.no/ -LLL -b ou=Users,dc=foreningenbs,dc=no name
ldapsearch -x -W -D cn=admin,cn=config -H ldaps://ldap-master.zt.foreningenbs.no/ -LLL -b cn=config dn
```

(`-x -W -D xxx -H yyy` er trikset her.)

Legg med `-d1` hvis du får feil. Du må legge til CA-sertifikatet for
å klare å koble til eller justere `TLS_REQCERT` i `/etc/ldap/ldap.conf`.

> Du kan kjøre dette fra [ldap-toolbox](../../ldap-toolbox) som er ferdig satt opp for dette.
> Den inneholder også f.eks. `ldapaddusertogroup` og slikt.
## Eksempler

Lese ut:

```bash
ldapsearch -Y EXTERNAL -Q -H ldapi:/// -LLL -b cn=config dn
ldapsearch -Y EXTERNAL -Q -H ldapi:/// -LLL -b ou=Users,dc=foreningenbs,dc=no name
```

Endre:

```bash
ldapmodify -Y EXTERNAL -Q -H ldapi:/// <<EOF
dn: uid=halvargimnes,ou=Users,dc=foreningenbs,dc=no
changetype: modify
replace: mail
mail: [email protected]
EOF
```

## Replikering

`ldap-slave` speiler `ldap-master`.

Opprinnelig oppsett: https://foreningenbs.no/filer/Grupper/IT-gruppa/Oppsett/LDAP

`contextCSN` er "versjon av databasen" mellom provider og consumer.
Du kan kjøre denne kommandoen på de ulike maskinene og sammenlikne verdien:

```bash
ldapsearch -Y EXTERNAL -Q -H ldapi:/// -LLL -b dc=foreningenbs,dc=no -z1 -s base contextCSN
```

## Dumpe data og laste igjen

```bash
slapcat -n0 -F /etc/ldap/slapd.d -l /tmp/ldap-db0.ldif
slapcat -n1 -F /etc/ldap/slapd.d -l /tmp/ldap-db1.ldif
```

```bash
slapadd -F /etc/ldap/slapd.d -l /tmp/ldap-db1.ldif
```

## Teste endring før restart

```bash
slaptest -F /etc/ldap/slapd.d
```

## Fikse feil checksum ved manuell config-endring

Fra https://gist.github.com/Shaltz/1d65a07a0901a36fb7f1?permalink_comment_id=4579943#gistcomment-4579943

```bash
LDIF='/etc/openldap/slapd.d/cn=config.ldif'
NEW_CRC32="$(tail -n +3 "$LDIF" | python3 -c 'import sys;import zlib;print("%08x"%(zlib.crc32(sys.stdin.buffer.read())))')"
sed -i "0,/# CRC32 .*/ s//# CRC32 ${NEW_CRC32,,}/g" "$LDIF"
```
18 changes: 18 additions & 0 deletions services/openldap/docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Only used for local testing.
version: '3'
services:
openldap:
build: .
container_name: openldap-test
ports:
- 127.0.0.1:389:389
environment:
LDAP_LOG_LEVEL: "-1"
volumes:
- ../../certs/dhparam.pem:/certs/dhparam.pem
- ../../certs/ca.crt:/certs/ca.crt
- ../../certs/ldap/ldap-slave.crt:/certs/slapd.crt
- ./data/dev/data:/var/lib/ldap
- ./data/dev/config:/etc/ldap/slapd.d
- ./:/data
#command: sleep 10000000
38 changes: 38 additions & 0 deletions services/openldap/full-backup.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
#!/bin/bash
set -eu

timestamp=$(date -u +%Y%m%d-%H%M%SZ)
mkdir -p "backups/$timestamp/provider" "backups/$timestamp/consumer"

echo "Storing to backups/$timestamp"

# Provider
# Has 3 dbs (config + main + accesslogs)

ssh -T [email protected] <<EOF
set -e
docker exec ldap-master slapcat -F /etc/ldap/slapd.d -n0 >/tmp/db0.ldif
docker exec ldap-master slapcat -F /etc/ldap/slapd.d -n1 >/tmp/db1.ldif
docker exec ldap-master slapcat -F /etc/ldap/slapd.d -n2 >/tmp/db2.ldif
EOF
scp "[email protected]:/tmp/db*.ldif" "backups/$timestamp/provider"
ssh -T [email protected] <<EOF
set -e
rm /tmp/db0.ldif /tmp/db1.ldif /tmp/db2.ldif
EOF

# Consumer
# Has 2 dbs (config + main)

ssh -T [email protected] <<EOF
set -e
docker exec ldap-slave slapcat -F /etc/ldap/slapd.d -n0 >/tmp/db0.ldif
docker exec ldap-slave slapcat -F /etc/ldap/slapd.d -n1 >/tmp/db1.ldif
EOF
scp "[email protected]:/tmp/db*.ldif" "backups/$timestamp/consumer"
ssh -T [email protected] <<EOF
set -e
rm /tmp/db0.ldif /tmp/db1.ldif
EOF

echo "Finished!"
28 changes: 28 additions & 0 deletions services/openldap/load-to-dev.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
#!/bin/bash
set -eu

if [ "$1" = "provider" ]; then
server="fcos-2.nrec.foreningenbs.no"
dataname="ldap-master"
elif [ "$1" = "consumer" ]; then
server="fcos-3.nrec.foreningenbs.no"
dataname="ldap-slave"
else
echo "Usage: $0 <provider|consumer>"
exit 1
fi

if [ -e data/dev ]; then
echo "Delete data/dev first"
exit 1
fi

mkdir -p data/dev
scp -rp "root@$server:/var/mnt/data/$dataname-config" data/dev/config
scp -rp "root@$server:/var/mnt/data/$dataname-data" data/dev/data

# Remove TLS stuff for local dev to avoid having to deal
# with decrypting the key for it in this repo.
sed -i 's|olcTLSCertificateKeyFile: /certs/slapd.key|#olcTLSCertificateKeyFile: /certs/slapd.key|' "data/dev/config/cn=config.ldif"

echo "Finished!"

0 comments on commit 9051484

Please sign in to comment.