Openldap: Difference between revisions

From Federal Burro of Information
Jump to navigationJump to search
No edit summary
No edit summary
Line 46: Line 46:
== Setting up audit logging ==
== Setting up audit logging ==


This is a work in progress. We've got it owrking in UGO but there are some unanswered questions:
This is a work in progress. We've got it working in a client but there are some unanswered questions:


# who made the change?
# who made the change?

Revision as of 19:13, 21 April 2015

cn=config

We use the cn=config configuration option in all of Pandora. Ostensibly, since this means the configuration is stored in the ldap database itself, changes can be made without restarting the server. What this means in practice is that we no longer have a specific configuration file, we now have a bunch of ldif files in the cn=config directory.

To make a change, all you have to do is make the change in the ldif file and restart slapd.

If you need to make a change without restarting the server, use ldapmodify to change the cn=config database. I haven't done this, but it is possible and should be documented here when someone does it.


Dumping/Restoring Configs

Warning Make sure slapd has been stopped before performing any slap* commands ( slapcat, slapadd etc... )

To dump the cn=config database into an ldif file, use the following.

slapcat -n0 -F /etc/openldap/slapd.d > /tmp/config-in-portable-format.ldif

To restore, make sure the /etc/openldap/slapd.d is empty ( backup the old directory in case something goes wrong ). Make sure that the directory exists.

slapadd -n0 -F /etc/openldap/slapd.d -l /tmp/config-in-portable-format.ldif

New Server

The easiest way build out a server is to bring over an ldif file dumped from another server. Once you have imported it, LDAP nullifies the password hash so you will have to regenerate it. Its good practice to take a backup of the slapd.d directory from clean state, however its not strictly necessary since its part of the default install.

Changing the admin passwords

To change the administrative password, you have to generate a hash and then add it into the online configuration database.

First create a new password hash like so:

[root@ugo-dsp-ldap-01 ~]# slappasswd
New password: 
Re-enter new password: 
{SSHA}dQ1XbAEnEjqiRhWQ2NlytCjLKTEVteVy

There are two different admin accounts for OpenLDAP. One is the Manager which gives admin access to the directory and the other is for cn=config that allows you to modify OpenLDAP's configuration with ldifs (or an ldap editor like apache directory studio).

To modify the manager edit /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif and look for these two lines:

olcRootDN: cn=Manager,dc=ugo-wallet,dc=com
olcRootPW: {SSHA}e1NTSEF9OE9QWWhJbTFTNUhiU3l5WU53b25CcFJHNnRCanFwQjg=

Replace olcRootPW's entry with your new hash.

To change cn=config's password edit /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif and modify olcRootPW entry.

Setting up audit logging

This is a work in progress. We've got it working in a client but there are some unanswered questions:

  1. who made the change?
  2. how do you control changes are recorded ? all some writes? reads?
  3. how big will the log grow? can I rotate the log out hot ?

The how so far

create a file:

auditlog_setup_module.ldif

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: auditlog

then add it :

ldapadd -Y EXTERNAL  -H ldapi:/// -f auditlog_setup_module.ldif

create another file:

auditlog_setup_overlay.ldif

dn: olcOverlay=auditlog,olcDatabase={2}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /tmp/auditlog.ldif

note that we figured out that olcDatabase={2} is the database that has our important user data in it.

then add it:

ldapadd -Y EXTERNAL -H ldapi:/// -f auditlog_setup_overlay.ldif

then restart ldap and tail you audit file.