LDAP service

1. About

TL;DR

The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over a network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications.

2. Systems

2.1 Frontend

FQDN IPv6 IPv4
ldap.bfh.info
ipv6.ldap.bfh.info1
ipv4.ldap.bfh.info1

2.2 Backend

Warning
Always use the frontend DNS record

Never use the backend nodes directly:

  • backend may change without notice at any time (e.g. IP addresses, DNS records, configuration, etc.)
  • backend has no legacy support or grace periods, changes are implemented instantly
  • backend can be rebootet without notice at any time
  • backend access will soon be restricted

FQDN IPv6 IPv4
node1.ldap.bfh.info1 2a07:6b40::51 147.87.0.51
node2.ldap.bfh.info1 2a07:6b40::52 147.87.0.52
node3.ldap.bfh.info1 2a07:6b40::53 147.87.0.53
node4.ldap.bfh.info1 2a07:6b40::54 147.87.0.54
FQDN IPv6 IPv4
ldap-primary.bfh.info1 2a07:6b40::130 147.87.0.130
node1.ldap-primary.bfh.info1 2a07:6b40::131 147.87.0.131
node2.ldap-primary.bfh.info1 2a07:6b40::132 147.87.0.132

3. Features

3.1. ACLs

  • anonymous bind allowed from 2a07:6b40::/29, 147.87.0.0/16, and 10.0.0.0/8

  • legacy applications that do not support anonymous bind can use cn=read-only,dc=bfh with password bfh

4. Operations

  • TODO

Configuration update:


    cd /srv/$(cat /etc/hostname)/openldap
    git pull
    make reinstall
    bfh-slapd-new delete-config && bfh-slapd-new restore-config --file config-db-init.ldif

Force secondaries to re-sync form primary (master):

Note:

  • this deletes current the database on the secondary

  • needs the bootstrap.ldif from the primary to confgure the accounts necessary for syncing

  • syncing will start automatically but it takes 2-3 minutes until the secondary delivers content again


    systemctl stop slapd
    bfh-slapd-new delete
    slapadd -n 1 -F /etc/ldap/slapd.d -l bootstrap.ldif
    chown -R openldap: /var/lib/ldap
    systemctl start slapd.service

6. Backlog

Legacy

  • remove ldap.bfh.science container and records

  • review and document ldap schema

Setup

  • regenerate containers with Debian 12

  • upgrade to current openldap

  • compact db regularly via ldap-tools

  • restricting backend subnet access to frontend and management only

  • decide about multi-primary vs proxy

Features

  • reject read-only bind on nodes from extern, so users don’t get a permission denied but immediate failre.

  • create low-privilege nodes with only subset of data (for external access), keep high-privileged information on internal nodes only

  • anycasting ldap.bfh.info

  • test environment

  • benchmarking

Known issues

  • no known issues

Notes

  1. current systems where ldap.bfh.info is pointing to are currently lifecycled and regenerated using their final IP adresses and backend names