Fellowship LDAP service: test database

Besides the production instance of the Fellowship LDAP database, the Fellowship LDAP server also hosts a test instance of the database.

This is used by the test instances of some Fellowship services (blogs, wiki, etc), and also to test new LDAP features.

The test database has the same entries of the production database, the only difference is in the dn attribute, which has dc=fsfe-test,dc=org instead of dc=fsfe,dc=org

The rest of this file documents the procedure to set up, or update, the test database.

0. Plan the operation

1. Make an LDIF dump of the current production database

slapcat -a "(entryDN:dnSubtreeMatch:=dc=fsfe,dc=org)" \
   -l fellowship.ldif -b 'dc=fsfe,dc=org'

2. Substitute fsfe -> fsfe-test in the ldif file

  cat fellowship.ldif \
  | sed -e 's/dc: fsfe/dc: fsfe-test/g' \
  | sed -e 's/dc=fsfe/dc=fsfe-test/g' > fsfe-test.ldif

3. Create the new test database (skip if upgrading)

Add a new database configuration to the cn=config database (see ./ldap_admin.txt for details)

- Clone the configuration, replacing "dc=fsfe" -> "dc=fsfe-test" everywhere - Change the "directory" option to: /var/lib/ldap-fsfe-test

mkdir /var/lib/ldap-fsfe-test
chown openldap: /var/lib/ldap-fsfe-test

4. Import the dump:

(as root): /etc/init.d/slapd stop

(if upgrading: move away the contents of /var/lib/ldap-fsfe-test)

su -s /bin/bash openldap
/usr/sbin/slapadd -l fsfe-test.ldif -b "dc=fsfe-test,dc=org"

(as root): /etc/init.d/slapd start

5. Test authentication in the new database

With the rootdn/pw:

ldapsearch -v -x -b 'ou=fellowship,dc=fsfe-test,dc=org' -W \
-D 'cn=admin,dc=fsfe-test,dc=org' '(uid=cri)'

With a test account:

ldapsearch -v -x -b 'ou=fellowship,dc=fsfe-test,dc=org' -W \
-D 'uid=cri,ou=fellowship,dc=fsfe-test,dc=org' '(uid=cri)'

6. (optional) Substitute all passwords with a known password

In some situations, e.g. when you are creating a copy of the database on a development server and you want to test some LDAP features, it might be needed to set all Fellow passwords to a known value.

Generate a userPassword value for the new password "password"


(enter "password" twice)

Output: {SSHA}9kGxpuNobOq9ftRtypKQ4KJc+Wb55Gxu

Base64-encode the output;

echo '{SSHA}9kGxpuNobOq9ftRtypKQ4KJc+Wb55Gxu' | base64

Output: e1NTSEF9OWtHeHB1Tm9iT3E5ZnRSdHlwS1E0S0pjK1diNTVHeHUK

Generate a command snippet:

echo "changetype: modify
replace: userPassword
userPassword:: e1NTSEF9OWtHeHB1Tm9iT3E5ZnRSdHlwS1E0S0pjK1diNTVHeHUK
" > changepassword.txt

Generate a ldif change file for all entries (except admin):

grep '^dn: uid' fsfe-test.ldif | grep -v '^dn: uid=admin'> dn.txt
cat dn.txt | while read ; do echo "$REPLY" | cat - changepassword.txt >> changepassword.ldif ; done

Apply the changes to the ldap server

ldapmodify -x -f changepassword.ldif -W -D 'cn=admin,dc=fsfe-test,dc=org' -H ldap://localhost

(when prompted enter the rootdn password)

- 7. (optional) Add a fake email address to disabled entries

echo "changetype: modify
add: mail
" > addmail.txt

Dump a list of entries lacking the "mail" attribute (beware: raise "sizelimit" in the server configuration!)

ldapsearch -v -x -b 'ou=fellowship,dc=fsfe-test,dc=org' -W -D 'cn=admin,dc=fsfe-test,dc=org' \
-H ldap://localhost '(!(mail=*))' 'dn' \
| grep '^dn: uid' | grep -v '^dn: uid=admin'> dn-nomail.txt

Generate a ldif change file for the entries and apply it to the server: (this creates the same mail address for all entries: not good for WP)

cat dn-nomail.txt | while read ; do echo "$REPLY" | cat - addmail.txt >> addmail.ldif ; done
ldapmodify -x -f addmail.ldif -W -D 'cn=admin,dc=fsfe-test,dc=org' -H ldap://localhost

(this creates a unique mail address)

cat dn-nomail.txt | cut -d '=' -f 2 | cut -d ',' -f 1 | while read ; \
do echo "dn: uid=${REPLY},ou=fellowship,dc=fsfenopass,dc=org
changetype: modify
replace: mail
mail: ${REPLY}
" >> adduniquemail.ldif ; done

ldapmodify -x -f adduniquemail.ldif -W -D 'cn=admin,dc=fsfe-test,dc=org' -H ldap://localhost

TechDocs/TechnicalProcesses/LDAP/TestDB (last edited 2018-04-20 12:32:14 by vincent)