LDAP: Difference between revisions
No edit summary |
(document LDAP replication) |
||
Line 16: | Line 16: | ||
ldapsearch -x -h uwldap.uwaterloo.ca -b dc=uwaterloo,dc=ca "cn=Prabhakar Ragde" |
ldapsearch -x -h uwldap.uwaterloo.ca -b dc=uwaterloo,dc=ca "cn=Prabhakar Ragde" |
||
=== Replication === |
|||
While <tt>ldap1.csclub.uwaterloo.ca</tt> ([[Machine_List#ginseng|ginseng]]) is the LDAP master, an up-to-date replica is available on <tt>ldap2.csclub.uwaterloo.ca</tt> ([[Machine_List#artificial-flavours|artificial-flavours]]). |
|||
In order to replicate changes from the master, the slave maintains an authenticated connection to the master which provides it with full read access to all changes. |
|||
Specifically, <tt>/etc/init.d/slapd-k5start</tt> maintains an active Kerberos ticket for <tt>ldap/artificial-flavours.csclub.uwaterloo.ca@CSCLUB.UWATERLOO.CA</tt> in <tt>/var/run/slapd/krb5cc</tt>. This is then used to authenticate the slave to the server, who maps this principal to <tt>cn=ldap-slave,dc=csclub,dc=uwaterloo,dc=ca</tt>, which in turn has full read privileges. |
|||
In the event of master failure, all hosts should fail LDAP reads seamlessly over to the slave. |
|||
[[Category:Software]] |
[[Category:Software]] |
Revision as of 08:20, 20 April 2012
We use OpenLDAP for directory services. Our primary LDAP server is ginseng and our secondary LDAP server is artificial-flavours.
Querying LDAP
There are many tools available for issuing LDAP queries. Queries should be issued to ldap1.csclub.uwaterloo.ca. The search base you almost certainly want is dc=csclub,dc=uwaterloo,dc=ca. Read access is available without authentication; Kerberos is used to authenticate commands which require it.
Example:
ldapsearch -x -h ldap1.csclub.uwaterloo.ca -b dc=csclub,dc=uwaterloo,dc=ca uid=ctdalek
The -x option causes ldapsearch to switch to simple authentication rather than trying to authenticate via SASL (which will fail if you do not have a Kerberos ticket).
The University LDAP server (uwldap.uwaterloo.ca) can also be queried like this. Again, use "simple authentication" as read access is available (from on campus) without authentication. SASL authentication will fail without additional parameters.
Example:
ldapsearch -x -h uwldap.uwaterloo.ca -b dc=uwaterloo,dc=ca "cn=Prabhakar Ragde"
Replication
While ldap1.csclub.uwaterloo.ca (ginseng) is the LDAP master, an up-to-date replica is available on ldap2.csclub.uwaterloo.ca (artificial-flavours).
In order to replicate changes from the master, the slave maintains an authenticated connection to the master which provides it with full read access to all changes.
Specifically, /etc/init.d/slapd-k5start maintains an active Kerberos ticket for ldap/artificial-flavours.csclub.uwaterloo.ca@CSCLUB.UWATERLOO.CA in /var/run/slapd/krb5cc. This is then used to authenticate the slave to the server, who maps this principal to cn=ldap-slave,dc=csclub,dc=uwaterloo,dc=ca, which in turn has full read privileges.
In the event of master failure, all hosts should fail LDAP reads seamlessly over to the slave.