Skip to content

Service ID OpenLDAP

Jump to bottom
cintiadr edited this page Sep 27, 2024 · 55 revisions

License

No license.

Description of the service

LDAP. To be accessed by the ID (keycloak and legacy)

How to access it

OpenLDAP is dockerized. It listens on 127.0.0.1:689. It's only accessible from some machines, configured in terraform.

This setup is pretty fragile, particularly related to letesencrypt certificates.

How to restart it

cd /root/docker/ldap
docker-compose down && \
  docker-compose up -d

How to setup

Via ansible/docker compose apps.

Production backups and restores

Backup

Check Backups-Strategy to understand how to download or upload backups files from/to AWS S3.

- Stop your OpenLDAP server (`docker-compose stop ldap`)
- Make a copy of LDAP config directory (`/data/docker/volumes/ldap_config`) and LDAP data directory (`/data/docker/volumes/ldap_database`) to your backup directory
- Start OpenLDAP server (`docker-compose start ldap`)

Restore

- Stop your OpenLDAP server (`docker-compose stop ldap`)
- Replace the contents of LDAP config directory (`/data/docker/volumes/ldap_config`) and LDAP data directory (`/data/docker/volumes/ldap_database`) with the contents extracted
- Start OpenLDAP server (`docker-compose start ldap`)
  • Using slapcat/slapadd is not recommended and can lead to inconsistencies.

Copying data from production to staging

In production:

# Generate data for users and groups only

$ docker exec -it openldap bash
$$ ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "ou=groups,dc=openmrs,dc=org" > /tmp/groups.ldif
$$ ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "ou=users,dc=openmrs,dc=org"   > /tmp/users.ldif
$$ exit

Copy those files from the production docker container into staging docker container.


# Copy data from docker container into production machine
$ docker cp openldap:/tmp/groups.ldif /tmp
$ docker cp openldap:/tmp/users.ldif /tmp

# Copy data into your local machine from production machine
$ scp -O adaba.openmrs.org:/tmp/groups.ldif groups.ldif
$ scp -O adaba.openmrs.org:/tmp/users.ldif users.ldif

## Open both files and remove the first entry, related to top level groups and users

# Copy data into staging machine
$ scp -O groups.ldif gode.openmrs.org:/tmp/groups.ldif
$ scp -O users.ldif gode.openmrs.org:/tmp/users.ldif 

# Copy data from staging machine into staging docker container
$ docker cp /tmp/groups.ldif ldap-prod-copy_openldap_1:/tmp/groups.ldif 
$ docker cp /tmp/users.ldif ldap-prod-copy_openldap_1:/tmp/users.ldif

In staging, import data.

# in staging, in a bootstrapped and empty ldap:

docker exec -it ldap-prod-copy_openldap_1 bash

time ldapmodify -w ${LDAP_ADMIN_PASSWORD} -D "cn=admin,dc=openmrs,dc=org"  -a -f /tmp/users.ldif
time ldapmodify -w ${LDAP_ADMIN_PASSWORD}  -D "cn=admin,dc=openmrs,dc=org"  -a -f /tmp/groups.ldif

# check docker compose .env files ansible for the expected passwords (atlas and omrsid)
ldappasswd -x -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -S "uid=atlas,ou=system,dc=openmrs,dc=org" -a "atlas"
ldappasswd -x -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -S "uid=omrsid,ou=system,dc=openmrs,dc=org" -a "omrsid"
ldappasswd -x -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -S "uid=crowd,ou=system,dc=openmrs,dc=org" -a "crowd"

Logs

cd /root/docker/ldap
docker-compose logs -f

Troubleshooting

ID cannot connect to LDAP.

Check certificate to see if it has expired:

echo -n | openssl s_client -showcerts -connect ldap.openmrs.org:636 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' | openssl x509 -text | fgrep -A2 "Validity"

Do a cd /root/docker/ldap; docker-compose down; docker-compose up -d to update certificates.

Find user groups

If you want to check if a user belongs to a group in LDAP, there's a bunch of way:

  • Check formage as mongodb has a copy of users created since January/2019, if they've logged in legacy ID
  • Straight in LDAP
ssh ldap.openmrs.org
sudo -i

# check the name of the openldap container
docker ps
docker exec -it ldap_openldap_1 bash # for example, ldap_openldap_1 is the name of the LDAP container 

SEARCH_USER=<username>
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "cn=jira-users,ou=groups,dc=openmrs,dc=org" | fgrep $SEARCH_USER
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "cn=jira-trunk-developer,ou=groups,dc=openmrs,dc=org" | fgrep $SEARCH_USER
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "cn=confluence-users,ou=groups,dc=openmrs,dc=org" | fgrep $SEARCH_USER

To investigate data:



# see all data
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "dc=openmrs,dc=org"

## see all config
ldapsearch -LLL -D "cn=admin,cn=config" -w ${LDAP_ADMIN_PASSWORD} -b "cn=config"

## test user creds
ldapwhoami -D "uid=omrsid,ou=users,dc=openmrs,dc=org" -W
>> input password

Rename user

Check Rename user docs.

Read this before updating this wiki.

Home

Clone this wiki locally