LDAP at U of C

(2009-09-15 Mike Morrow)

Introduction

Reason for LDAP

• Campus-wide authentication by username, eID, UCID number
• Directory content
• Active Directory population
• Application authorization

This Document (http://www.ucalgary.ca/~morrow/ldap/index.html)

What the public can know

How to build an LDAP server

Sharepoint files

Current Configuration

Host machines

Aliases

How LDAP works

slurpd -- replication daemon, replicates changes on master.ldap.ucalgary.ca to slaves.

Important directories

• Configuration /usr/local/etc/openldap/

  Configuration files

  slapd.conf slapd.conf.(base|eid|uidauthent|people) -- attributes and indexing for each tree

  slapd.conf.replica -- rules for replication to slaves

  slapd.conf.acl -- access control

  master.(cert|key|req).pem -- SSL certificates, self-signed

• Databases /var/openldap/
  • master.ldap.ucalgary.ca
    • master -- accepts asynchronous updates, serves replication data, undergoes dailymaint
    • public -- publicly-accessible directory server
    • slave-a -- collects replication logs

  • test.ldap.ucalgary.ca
    • test -- test server for Peoplesoft, application developers, undergoes dailymaint (hands off)
    • public -- testing of UNITIS userclass change for public.ldap.ucalgary.ca
    • qa -- QA server, meant to be an accurate replica of master.ldap.ucalgary.ca
    • qa-public -- QA server, meant to be an accurate replica of public.ldap.ucalgary.ca
    • dev-2.3.4 -- archive of development server for version 2.3.4
    • dev -- runs on LDAP 2.4.16

  • Database structure
    • Directories: base, people, uidauthent, eid
    • Files: slapd.args, slapd.mode, slapd.owner, slapd.pid

  • Log /var/log/openldap
    • Rotated every hour

Asynchronous updates

• master.ldap.ucalgary.ca receives XML files from Peoplsoft into /home/psfs/newucids
• /var/queue/PeopleUpdateDaemon is a symbolic link to /home/psfs/newucids
• PeopleUpdateDaemon processes the XML files, putting LDIF files into /var/queue/ApplyLdifDaemon
• ApplyLdif processes the LDIF files.
• The XML files are archived in /home/psfs/newucids.archive

Active Directory Updates

• Trigger files written in /var/queue/ADSyncDaemon by ApplyLdif.sh

PCI commands

• pci slap -- start, stop, status for the LDAP daemon

• pci slurp -- start, stop, status for the replication daemon

• pci resync -- synchronize slave server databases with master

• pci rebuild -- rebuild a database, eg., after a schema change

Support scripts

Daily maintenance -- runs at 0315 every morning

Functions

• archive the LDAP configuration in /usr/local/etc/openldap
• back up the databases for this instance
• create LDIF files for future dailymaint use
• update the people tree
• update userclasses
• expire IT accounts
• synchronize memberships in the credential trees with those in the groups tree
• create IT usernames for those in certain ENG, CPSC, MATH courses
• assign email quotas
• create email, account info files for Data Warehouse
• create account info files for Application Data Warehouse
• create email, teleweb, tweaker info files for Peoplesoft
• test all instances
• rebuild the public instance
• synchronize LDAP user entries with Active Directory
• synchronize LDAP group entries with Active Directory
• handle email expiry and forwarding for alumni

Data sources (feed files)

• dailymaint expects them in /home/ldap/production? and /home/ldap/userclasses
• Most of them are symbolic links to files in team home directories

  Feed files in /home/ldap/production? Feed files in /home/ldap/userclasses Feed files in /home/ldap/userclasses/people

  File name	Link to	Guilty party	Notes
  hr.txt	/home/pshr/uchri003a.csv		delivered at 0111 from psfspda1.ucalgary.ca
  id.old.txt	/home/gagteam/ppdid061.txt		kept for barcode numbers used by MergeIDandStudentFiles.pl
  owners.txt			created by dailymaint
  ps.student.txt	/home/sisteam/sr83.data.txt	macrae@ucalgary.ca	used by MergeIDandStudentFiles.pl delivered at 2333 from eprdapp3.ucalgary.ca
  id.txt			created by MergeIDandStudentFiles.pl removed at the end of dailymaint
  siscourse.txt	/home/sisteam/sr83.course.txt	macrae@ucalgary.ca	delivered at 2333 from eprdapp3.ucalgary.ca
  sisinfo.txt	/home/sisteam/sr83.publish.txt	macrae@ucalgary.ca	delivered at 2333 from eprdapp3.ucalgary.ca
  teleweb.txt	/home/dcsteam/ldap.txt	nic.wang@ucalgary.ca
  tweaker.txt			created by dailymaint
  unitis/	/home/unitis/userclasses/	mlwruble@math.ucalgary.ca	created by ~unitis/bin/unxmlify.sh
  alumni	/home/alumni/LDAP_ALUMNI.CSV	aeahmed@ucalgary.ca	delivered at 1130 from 136.159.39.251
  alumni.associate	/home/alumni/LDAP_ASSOCIATE_ALUMNI.CSV	aeahmed@ucalgary.ca	delivered at 1130 from 136.159.39.251
  alumni.forward			delivered at 1130 from 136.159.39.251 created by dailymaint
  alumni.noforward			modified by pci UnUnForwardAlumniEmail
  camrec	/home/camrec/camrec.txt	qnguyen@ucalgary.ca	delivered at 0118 from pc90.ress.ucalgar.ca
  conted.instructor	/home/gagteam/ContEdInstructors.txt		delivered at 0255 from pc90.ress.ucalgary.ca
  conted.student	/home/gagteam/ContEdStudents.txt		delivered at 0255 from pc90.ress.ucalgary.ca
  er.researcher	/home/ersteam/Research_UCID_List.csv		delivered at 0602 from erdbprod02.admin.ad.ucalgary.ca
  it.eligible.alumni			created by dailymaint
  med.osler			created by dailymaint
  sas.peoplesoft.staff	/home/sisteam/sas.peoplesoft.staff	macrae@ucalgary.ca
  sis.egrades	/home/sisteam/sr83.egradeids	macrae@ucalgary.ca	delivered at 2302 from eprdapp3.ucalgary.ca
  sis.uofc101	/home/sisteam/sr83.admitted.txt	macrae@ucalgary.ca	delivered at 2302 from eprdapp3.ucalgary.ca