Skip to content

Service ID OpenLDAP

cintiadr edited this page Aug 6, 2019 · 55 revisions

Location

  • Production: ako/Jetstream
  • Staging: ruiru/Jetstream

License

No license.

Description of the service

LDAP. To be accessed by the ID Dashboard and Crowd.

How to access it

OpenLDAP is dockerized. It listens on 127.0.0.1:689. It's only accessible from ambam and baragoi machines.

How to restart it

cd /root/docker/ldap
docker-compose restart ldap

How to setup

Via ansible/docker compose apps.

Backups and restores

Backup

Check Backups-Strategy to understand how to download or upload backups files from/to AWS S3.

- Stop your OpenLDAP server (`docker-compose stop ldap`)
- Make a copy of LDAP config directory (`/data/docker/volumes/ldap_config`) and LDAP data directory (`/data/docker/volumes/ldap_database`) to your backup directory
- Start OpenLDAP server (`docker-compose start ldap`)

Restore

- Stop your OpenLDAP server (`docker-compose stop ldap`)
- Replace the contents of LDAP config directory (`/data/docker/volumes/ldap_config`) and LDAP data directory (`/data/docker/volumes/ldap_database`) with the contents extracted
- Start OpenLDAP server (`docker-compose start ldap`)
  • Using slapcat/slapadd is not recommended and can lead to inconsistencies.

Logs

cd /root/docker/ldap
docker-compose logs -f

Troubleshooting

Crowd cannot connect to LDAP.

Check certificate to see if it has expired:

echo -n | openssl s_client -showcerts -connect ldap.openmrs.org:636 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' | openssl x509 -text

Do a docker-compose down/up -d to restart containers and pick new certificate.

Find user groups

If you want to check if a user belongs to a group in LDAP, there's a bunch of way:

  • Check formage as mongodb has a copy of users created since January/2019
  • Crowd. It might timeout.
  • JIRA or Wiki user management screen (if they've already logged in, as the groups are only loaded on those occasions)
  • Straight in LDAP
ssh ldap.openmrs.org
sudo -i
docker exec -it ldap_ldap_1 bash
SEARCH_USER=<username>
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -W -b "cn=jira-users,ou=groups,dc=openmrs,dc=org" | fgrep $SEARCH_USER
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -W -b "cn=jira-trunk-developer,ou=groups,dc=openmrs,dc=org" | fgrep $SEARCH_USER
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -W -b "cn=confluence-users,ou=groups,dc=openmrs,dc=org" | fgrep $SEARCH_USER
# creds in LP

Rename user

Check Rename user docs.

Clone this wiki locally