Fellowship LDAP service: test database
This page has been moved to docs.fsfe.org with the rest of the sysadmin documentation.
Besides the production instance of the Fellowship LDAP database, the Fellowship LDAP server also hosts a test instance of the database.
This is used by the test instances of some Fellowship services (blogs, wiki, etc), and also to test new LDAP features.
The test database has the same entries of the production database, the only difference is in the dn attribute, which has dc=fsfe-test,dc=org instead of dc=fsfe,dc=org
The rest of this file documents the procedure to set up, or update, the test database.
0. Plan the operation
- The operation requires stopping the LDAP server for a couple of minutes (during the import step), so schedule it carefully
1. Make an LDIF dump of the current production database
slapcat -a "(entryDN:dnSubtreeMatch:=dc=fsfe,dc=org)" \ -l fellowship.ldif -b 'dc=fsfe,dc=org'
2. Substitute fsfe -> fsfe-test in the ldif file
cat fellowship.ldif \ | sed -e 's/dc: fsfe/dc: fsfe-test/g' \ | sed -e 's/dc=fsfe/dc=fsfe-test/g' > fsfe-test.ldif
3. Create the new test database (skip if upgrading)
Add a new database configuration to the cn=config database (see ./ldap_admin.txt for details)
- Clone the fsfe.org configuration, replacing "dc=fsfe" -> "dc=fsfe-test" everywhere - Change the "directory" option to: /var/lib/ldap-fsfe-test
- Create the filesystem directory
mkdir /var/lib/ldap-fsfe-test chown openldap: /var/lib/ldap-fsfe-test
4. Import the dump:
(as root): /etc/init.d/slapd stop (if upgrading: move away the contents of /var/lib/ldap-fsfe-test) su -s /bin/bash openldap /usr/sbin/slapadd -l fsfe-test.ldif -b "dc=fsfe-test,dc=org" (as root): /etc/init.d/slapd start
5. Test authentication in the new database
With the rootdn/pw:
ldapsearch -v -x -b 'ou=fellowship,dc=fsfe-test,dc=org' -W \ -D 'cn=admin,dc=fsfe-test,dc=org' '(uid=cri)'
With a test account:
ldapsearch -v -x -b 'ou=fellowship,dc=fsfe-test,dc=org' -W \ -D 'uid=cri,ou=fellowship,dc=fsfe-test,dc=org' '(uid=cri)'
6. (optional) Substitute all passwords with a known password
In some situations, e.g. when you are creating a copy of the database on a development server and you want to test some LDAP features, it might be needed to set all Fellow passwords to a known value.
Generate a userPassword value for the new password "password"
slappasswd
(enter "password" twice)
Output: {SSHA}9kGxpuNobOq9ftRtypKQ4KJc+Wb55GxuBase64-encode the output;
echo '{SSHA}9kGxpuNobOq9ftRtypKQ4KJc+Wb55Gxu' | base64
Output: e1NTSEF9OWtHeHB1Tm9iT3E5ZnRSdHlwS1E0S0pjK1diNTVHeHUKGenerate a command snippet:
echo "changetype: modify replace: userPassword userPassword:: e1NTSEF9OWtHeHB1Tm9iT3E5ZnRSdHlwS1E0S0pjK1diNTVHeHUK " > changepassword.txt
Generate a ldif change file for all entries (except admin):
grep '^dn: uid' fsfe-test.ldif | grep -v '^dn: uid=admin'> dn.txt cat dn.txt | while read ; do echo "$REPLY" | cat - changepassword.txt >> changepassword.ldif ; done
Apply the changes to the ldap server
ldapmodify -x -f changepassword.ldif -W -D 'cn=admin,dc=fsfe-test,dc=org' -H ldap://localhost (when prompted enter the rootdn password)
- 7. (optional) Add a fake email address to disabled entries
- This was needed for the inactive blogs migration We proceed in a way similar to step 5. Create the command snippet:
echo "changetype: modify add: mail mail: fellowship@fsfe.org " > addmail.txt
Dump a list of entries lacking the "mail" attribute (beware: raise "sizelimit" in the server configuration!)
ldapsearch -v -x -b 'ou=fellowship,dc=fsfe-test,dc=org' -W -D 'cn=admin,dc=fsfe-test,dc=org' \ -H ldap://localhost '(!(mail=*))' 'dn' \ | grep '^dn: uid' | grep -v '^dn: uid=admin'> dn-nomail.txt
Generate a ldif change file for the entries and apply it to the server: (this creates the same mail address for all entries: not good for WP)
cat dn-nomail.txt | while read ; do echo "$REPLY" | cat - addmail.txt >> addmail.ldif ; done
ldapmodify -x -f addmail.ldif -W -D 'cn=admin,dc=fsfe-test,dc=org' -H ldap://localhost
(this creates a unique mail address)
cat dn-nomail.txt | cut -d '=' -f 2 | cut -d ',' -f 1 | while read ; \
do echo "dn: uid=${REPLY},ou=fellowship,dc=fsfenopass,dc=org
changetype: modify
replace: mail
mail: ${REPLY}@fsfe.org
" >> adduniquemail.ldif ; done
ldapmodify -x -f adduniquemail.ldif -W -D 'cn=admin,dc=fsfe-test,dc=org' -H ldap://localhost