-
Notifications
You must be signed in to change notification settings - Fork 9
Service ID OpenLDAP
No license.
LDAP. To be accessed by the ID (keycloak and legacy)
OpenLDAP is dockerized. It listens on 127.0.0.1:689. It's only accessible from some machines, configured in terraform.
This setup is pretty fragile, particularly related to letesencrypt certificates. There's a letscrypt renewal hook script that will add read permission to all users on the key, and also restart the containers.
cd /root/docker/ldap-new
docker-compose down && \
docker-compose up -d
Via ansible/docker compose apps.
Check Backups-Strategy to understand how to download or upload backups files from/to AWS S3.
- Stop your OpenLDAP server (`docker-compose stop <ldap>`)
- Make a copy of LDAP config directory (`/data/docker/volumes/ldap_config`) and LDAP data directory (`/data/docker/volumes/ldap_database`) to your backup directory
- Start OpenLDAP server (`docker-compose start <ldap>`)
- Stop your OpenLDAP server (`docker-compose stop <ldap>`)
- Replace the contents of LDAP config directory (`/data/docker/volumes/ldap_config`) and LDAP data directory (`/data/docker/volumes/ldap_database`) with the contents extracted
- Start OpenLDAP server (`docker-compose start <ldap>`)
- Using slapcat/slapadd is not recommended and can lead to inconsistencies.
In production:
# Generate data for users and groups only
$ docker exec -it <openldap> bash
$$ ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "ou=groups,dc=openmrs,dc=org" > /tmp/groups.ldif
$$ ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "ou=users,dc=openmrs,dc=org" > /tmp/users.ldif
$$ exit
Copy those files from the production docker container into staging docker container.
# Copy data from docker container into production machine
$ docker cp <openldap>:/tmp/groups.ldif /tmp
$ docker cp <openldap>:/tmp/users.ldif /tmp
# Copy data into your local machine from production machine
$ scp -O adaba.openmrs.org:/tmp/groups.ldif groups.ldif
$ scp -O adaba.openmrs.org:/tmp/users.ldif users.ldif
## Open both files and remove the first entry, related to top level groups and users
# Copy data into staging machine
$ scp -O groups.ldif gode.openmrs.org:/tmp/groups.ldif
$ scp -O users.ldif gode.openmrs.org:/tmp/users.ldif
# Copy data from staging machine into staging docker container
$ docker cp /tmp/groups.ldif ldap-stg_openldap_1:/tmp/groups.ldif
$ docker cp /tmp/users.ldif ldap-stg_openldap_1:/tmp/users.ldif
In staging, import data.
# in staging, in a bootstrapped and empty ldap:
docker exec -it ldap-stg_openldap_1 bash
time ldapmodify -w ${LDAP_ADMIN_PASSWORD} -D "cn=admin,dc=openmrs,dc=org" -a -f /tmp/users.ldif
time ldapmodify -w ${LDAP_ADMIN_PASSWORD} -D "cn=admin,dc=openmrs,dc=org" -a -f /tmp/groups.ldif
# check docker compose .env files ansible for the expected passwords (atlas and omrsid)
ldappasswd -x -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -S "uid=atlas,ou=system,dc=openmrs,dc=org"
ldappasswd -x -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -S "uid=omrsid,ou=system,dc=openmrs,dc=org"
ldappasswd -x -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -S "uid=crowd,ou=system,dc=openmrs,dc=org"
cd /root/docker/ldap-new
docker-compose logs -f
Check certificate to see if it has expired:
echo -n | openssl s_client -showcerts -connect ldap.openmrs.org:636 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' | openssl x509 -text | fgrep -A2 "Validity"
Do a cd /root/docker/ldap-new; docker-compose down; docker-compose up -d
to update certificates.
If you want to check if a user belongs to a group in LDAP, there's a bunch of way:
- Check formage as mongodb has a copy of users created since January/2019, if they've logged in legacy ID
- Straight in LDAP
ssh ldap.openmrs.org
sudo -i
# check the name of the openldap container
docker ps
docker exec -it ldap_openldap_1 bash # for example, ldap_openldap_1 is the name of the LDAP container
SEARCH_USER=<username>
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "cn=jira-users,ou=groups,dc=openmrs,dc=org" | fgrep $SEARCH_USER
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "cn=jira-trunk-developer,ou=groups,dc=openmrs,dc=org" | fgrep $SEARCH_USER
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "cn=confluence-users,ou=groups,dc=openmrs,dc=org" | fgrep $SEARCH_USER
To investigate data:
# see all data
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "dc=openmrs,dc=org"
## see all config
ldapsearch -LLL -D "cn=admin,cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -b "cn=config"
## test user creds
ldapwhoami -D "uid=omrsid,ou=users,dc=openmrs,dc=org" -W
>> input password
If a configuration needs to be changed, use the config user:
ldapmodify -w ${LDAP_CONFIG_ADMIN_PASSWORD} -D "cn=admin,cn=config" -a -f <file>.ldif
Check Rename user docs.
Read this before updating this wiki.