Service ID OpenLDAP

License

No license.

Description of the service

LDAP. To be accessed by the ID (keycloak and legacy)

How to access it

OpenLDAP is dockerized. It listens on 127.0.0.1:689. It's only accessible from some machines, configured in terraform.

This setup is pretty fragile, particularly related to letesencrypt certificates. There's a letscrypt renewal hook script that will add read permission to all users on the key, and also restart the containers.

How to restart it

cd /root/docker/ldap-new
docker-compose down && \
  docker-compose up -d

How to setup

Via ansible/docker compose apps.

Production backups and restores

Backup

Check Backups-Strategy to understand how to download or upload backups files from/to AWS S3.

- Stop your OpenLDAP server (`docker-compose stop <ldap>`)
- Make a copy of LDAP config directory (`/data/docker/volumes/ldap_config`) and LDAP data directory (`/data/docker/volumes/ldap_database`) to your backup directory
- Start OpenLDAP server (`docker-compose start <ldap>`)

Restore

- Stop your OpenLDAP server (`docker-compose stop <ldap>`)
- Replace the contents of LDAP config directory (`/data/docker/volumes/ldap_config`) and LDAP data directory (`/data/docker/volumes/ldap_database`) with the contents extracted
- Start OpenLDAP server (`docker-compose start <ldap>`)

• Using slapcat/slapadd is not recommended and can lead to inconsistencies.

Copying data from production to staging

In production:

# Generate data for users and groups only

$ docker exec -it <openldap> bash
$$ ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "ou=groups,dc=openmrs,dc=org" > /tmp/groups.ldif
$$ ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "ou=users,dc=openmrs,dc=org"   > /tmp/users.ldif
$$ exit

Copy those files from the production docker container into staging docker container.

# Copy data from docker container into production machine
$ docker cp <openldap>:/tmp/groups.ldif /tmp
$ docker cp <openldap>:/tmp/users.ldif /tmp

# Copy data into your local machine from production machine
$ scp -O adaba.openmrs.org:/tmp/groups.ldif groups.ldif
$ scp -O adaba.openmrs.org:/tmp/users.ldif users.ldif

## Open both files and remove the first entry, related to top level groups and users

# Copy data into staging machine
$ scp -O groups.ldif gode.openmrs.org:/tmp/groups.ldif
$ scp -O users.ldif gode.openmrs.org:/tmp/users.ldif 

# Copy data from staging machine into staging docker container
$ docker cp /tmp/groups.ldif ldap-stg_openldap_1:/tmp/groups.ldif 
$ docker cp /tmp/users.ldif ldap-stg_openldap_1:/tmp/users.ldif 

In staging, import data.

# in staging, in a bootstrapped and empty ldap:

docker exec -it ldap-stg_openldap_1 bash

time ldapmodify -w ${LDAP_ADMIN_PASSWORD} -D "cn=admin,dc=openmrs,dc=org"  -a -f /tmp/users.ldif
time ldapmodify -w ${LDAP_ADMIN_PASSWORD}  -D "cn=admin,dc=openmrs,dc=org"  -a -f /tmp/groups.ldif

# check docker compose .env files ansible for the expected passwords (atlas and omrsid)
ldappasswd -x -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -S "uid=atlas,ou=system,dc=openmrs,dc=org" 
ldappasswd -x -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -S "uid=omrsid,ou=system,dc=openmrs,dc=org" 
ldappasswd -x -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -S "uid=crowd,ou=system,dc=openmrs,dc=org" 

Logs

cd /root/docker/ldap-new
docker-compose logs -f

Troubleshooting

ID cannot connect to LDAP.

Check certificate to see if it has expired:

echo -n | openssl s_client -showcerts -connect ldap.openmrs.org:636 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' | openssl x509 -text | fgrep -A2 "Validity"

Do a cd /root/docker/ldap-new; docker-compose down; docker-compose up -d to update certificates.

Find user groups

If you want to check if a user belongs to a group in LDAP, there's a bunch of way:

• Check formage as mongodb has a copy of users created since January/2019, if they've logged in legacy ID
• Straight in LDAP

ssh ldap.openmrs.org
sudo -i

# check the name of the openldap container
docker ps
docker exec -it ldap_openldap_1 bash # for example, ldap_openldap_1 is the name of the LDAP container 

SEARCH_USER=<username>
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "cn=jira-users,ou=groups,dc=openmrs,dc=org" | fgrep $SEARCH_USER
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "cn=jira-trunk-developer,ou=groups,dc=openmrs,dc=org" | fgrep $SEARCH_USER
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "cn=confluence-users,ou=groups,dc=openmrs,dc=org" | fgrep $SEARCH_USER

To investigate data:

# see all data
ldapsearch -LLL -D "cn=admin,dc=openmrs,dc=org" -w ${LDAP_ADMIN_PASSWORD} -b "dc=openmrs,dc=org"

## see all config
ldapsearch -LLL -D "cn=admin,cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -b "cn=config"

## test user creds
ldapwhoami -D "uid=omrsid,ou=users,dc=openmrs,dc=org" -W
>> input password

If a configuration needs to be changed, use the config user:

ldapmodify -w ${LDAP_CONFIG_ADMIN_PASSWORD} -D "cn=admin,cn=config"  -a -f <file>.ldif

Rename user

Check Rename user docs.