LDAP

LDAP stands for lightweight directory access protocol. CSUA uses this protocol to store user credentials and information, manage group membership, and authenticate users.

Tap uses an LDAP server called slapd (standalone LDAP daemon) to serve incoming LDAP requests. It operates in TLS mode on port 636. ldap.csua.berkeley.edu is a CNAME record that points to tap

Interfacing with LDAP

ldapvi

ldapvi is the primary command line interface to our LDAP database. It's used to make modifications to the existing LDAP entries such as groups and users. Basically, it performs an LDAP search, writes the results into a temporary buffer, and allows you to make edits using vi.

Using ldapvi

1. On soda or tap, use ldapvi -D "(uid=$USER)". You must include the -D "(uid=$USER)" part to bind (authenticate) as yourself.
2. Enter your password
3. Make changes to the ldap database via vim
4. Exit vim with :wq
5. Confirm changes with y

ldapsearch

ldapsearch is another command-line interface to LDAP. It is lower-level than ldapvi, and you usually won't need to use it.

Using ldapsearch on the command line, binding as robertq (-D), using simple authentication (-x), prompting for bind password (-W) and searching for entries with the attribute memberUid exactly robertq.

ldapsearch -D "uid=robertq,ou=People,dc=csua,dc=berkeley,dc=edu" -x -W "(memberUid=robertq)"

You can also use ldapsearch for determining account age. The account age is stored as the attribute createTimestamp. You can get all "operational attributes" using the "+" attribute wildcard. E.g.

$ ldapsearch -LLL -x "(uid=robertq)" +
dn: uid=robertq,ou=People,dc=csua,dc=berkeley,dc=edu
structuralObjectClass: account
entryUUID: c407411a-88f1-1036-8f73-7fbc1d677c0e
creatorsName: uid=newuser,ou=People,dc=csua,dc=berkeley,dc=edu
createTimestamp: 20170217001417Z
entryCSN: 20190105234906.133084Z#000000#000#000000
modifiersName: uid=robertq,ou=People,dc=csua,dc=berkeley,dc=edu
modifyTimestamp: 20190105234906Z
entryDN: uid=robertq,ou=People,dc=csua,dc=berkeley,dc=edu
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

www.csua.berkeley.edu LDAP utilities

We have many helper python functions for interacting with LDAP in our Django codebase. See https://github.com/CSUA/csua-backend/blob/master/apps/ldap/utils.py for examples. We use LDAP in Django to authenticate users and check group membership, among other things.

PB and root can go to https://www.csua.berkeley.edu/ldap/admin/ to edit LDAP group membership via a web interface.

Database Details

The earliest entries in the LDAP database are dated April 23, 2007. It's likely that these entries were imported.

The posixAccount objectClass has an additional optional attribute, sid. As of April 2020, sid is being written but not used anywhere. Relevant attributes are uid, gecos and userPassword. Users can set their own userPassword using the ldappasswd utility.

gecos is like Phillip Nunez,[email protected]

The posixGroup objectClass seems to be unchanged. It has a list of memberUids

Changing LDAP Schema/Configs

The database schema and configuration is located in /etc/ldap/. To make changes to the config or schema, you have to use LDIF files with ldapmodify.

olcObjectClasses: {0}( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction o
 f an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNu
 mber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $
 description $ sid ) )

Additionally, the database is indexed in certain ways to speed up lookups. However, not all query types are optimized. This could be improved in the future.