Service ID OpenLDAP

License

No license.

Description of the service

LDAP. To be accessed by the ID Dashboard and Crowd.

How to access it

OpenLDAP is dockerized. It listens on 127.0.0.1:689. It's only accessible from ambam and baragoi machines.

How to restart it

cd /root/docker/ldap
docker-compose restart openldap

How to setup

Via ansible/docker compose apps.

Production backups and restores

Backup

Check Backups-Strategy to understand how to download or upload backups files from/to AWS S3.

- Stop your OpenLDAP server (`docker-compose stop ldap`)
- Make a copy of LDAP config directory (`/data/docker/volumes/ldap_config`) and LDAP data directory (`/data/docker/volumes/ldap_database`) to your backup directory
- Start OpenLDAP server (`docker-compose start ldap`)

Restore

- Stop your OpenLDAP server (`docker-compose stop ldap`)
- Replace the contents of LDAP config directory (`/data/docker/volumes/ldap_config`) and LDAP data directory (`/data/docker/volumes/ldap_database`) with the contents extracted
- Start OpenLDAP server (`docker-compose start ldap`)

• Using slapcat/slapadd is not recommended and can lead to inconsistencies.

Copying data from production to staging

In production:

# Generate data for users and groups only

$ docker exec -it openldap bash
$$ ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "ou=groups,dc=openmrs,dc=org" > /tmp/groups.ldif
$$ ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "ou=users,dc=openmrs,dc=org"   > /tmp/users.ldif
$$ exit

$ docker cp openldap:/tmp/groups.ldif /tmp
$ docker cp openldap:/tmp/users.ldif /tmp

Copy those files to your machine using SCP, and copy them over to staging.

# in staging, in a bootstrapped and empty ldap:

docker exec -it openldap bash

time ldapmodify -w ${LDAP_ADMIN_PASSWORD} -D "cn=admin,dc=openmrs,dc=org"  -a -f /tmp/users.ldif
time ldapmodify -w ${LDAP_ADMIN_PASSWORD}  -D "cn=admin,dc=openmrs,dc=org"  -a -f /tmp/groups.ldif

# check docker compose .env files ansible for the expected passwords (atlas and omrsid)
ldappasswd -x -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -S "uid=atlas,ou=system,dc=openmrs,dc=org" -a "atlas"
ldappasswd -x -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -S "uid=omrsid,ou=system,dc=openmrs,dc=org" -a "omrsid"
ldappasswd -x -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -S "uid=crowd,ou=system,dc=openmrs,dc=org" -a "crowd"

Logs

cd /root/docker/ldap
docker-compose logs -f

Troubleshooting

Crowd cannot connect to LDAP.

Check certificate to see if it has expired:

echo -n | openssl s_client -showcerts -connect ldap.openmrs.org:636 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' | openssl x509 -text | fgrep -A2 "Validity"

Do a cd /root/docker/ldap; docker-compose down; docker-compose up -d to update certificates.

Find user groups

If you want to check if a user belongs to a group in LDAP, there's a bunch of way:

• Check formage as mongodb has a copy of users created since January/2019
• Crowd. It might timeout.
• JIRA or Wiki user management screen (if they've already logged in, as the groups are only loaded on those occasions)
• Straight in LDAP

ssh ldap.openmrs.org
sudo -i
docker exec -it openldap bash
SEARCH_USER=<username>
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "cn=jira-users,ou=groups,dc=openmrs,dc=org" | fgrep $SEARCH_USER
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "cn=jira-trunk-developer,ou=groups,dc=openmrs,dc=org" | fgrep $SEARCH_USER
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "cn=confluence-users,ou=groups,dc=openmrs,dc=org" | fgrep $SEARCH_USER

Rename user

Check Rename user docs.