Gentoo Infrastructure LDAP guide

1. Key Concepts

LDAP stands for Lightweight Directory Access Protocol, a lightweight client-server protocol for accessing directory services. LDAP directory service is based on a client-server model. One or more servers contain the data making up the LDAP directory tree. An LDAP client connects to an LDAP server and requests information. The server responds with the data or points the client to another source. (typically another LDAP server).

Just like a database, an entry in LDAP consists of fields of data or 'Attributes'. This collection of attributes is called a 'Schema'. This guide will explain which attributes are available, who can change them and give role based examples for modifying the Gentoo LDAP Schema.

When a developer accesses a resource, like dev.gentoo.org (woodpecker.gentoo.org), the resource acts as an LDAP client and queries the LDAP server (ldap1, ldap2, ldap3, ldap4) to see if that user is in the database and authorized for access.

LDAP Access Levels

LDAP is used by Gentoo to secure the infrastructure. Gentoo resources are spread across the globe and LDAP gives us a central location to manage them. There are four levels of access: anonymous, user, recruiter and infra that are used to control what can be changed in the LDAP database. These are controlled via special values in the gentooAccess attribute.

You must connect or bind to the LDAP database either anonymously, or a known user. Binding anonymously will always grant only the anonymous level, while binding as a known user will grant you the level based on your user and potentially where you are connecting from.

The anonymous level is used for simple read only informational queries. All developers and staff can bind to LDAP as anonymous. If you don't specify a mode when you bind, anonymous is assumed.

The user level is used to add or change information in your own LDAP record. Things like your latitude and longitude, ssh public key and so on. All users can access the user level, by binding as themselves with the mode specified, and providing their password.

The recruiter level enables recruiters to add new users, and perform some administrative changes to users.

The infra level enables the infrastructure team full power over LDAP, and is additionally protected by only being available from ldap1.gentoo.org (toucan.gentoo.org).

Note: All write operations performed by infra must be performed on ldap1.gentoo.org (toucan.gentoo.org). Normal user and recruiter write operations may be performed on any LDAP-connected Gentoo box, however it is strongly recommended that you use dev.gentoo.org (woodpecker.gentoo.org).

2. Gentoo LDAP Implementation

LDAP Servers

Currently we have four LDAP servers available. The master server and three slave servers. The master LDAP server is reachable at ldap1.gentoo.org. The slave servers are ldap2.gentoo.org, ldap3.gentoo.org, ldap4.gentoo.org and they connect every 60 seconds to the master to replicate changes from the master.

Every update operation must be done on ldap1.gentoo.org, if an update (which means writing some entry) is performed on the slave a referral to the master is issued. This is transparently handled and all attempts to update against the slave will be redirected to the master. Connections are validated via TLS + password. The password is your dev one and is the same for all LDAP-aware boxes.

We use a custom script, perl_ldap that uses Net::LDAP, for accessing and modifying the database, it allows only a predefined set of actions but it should cover 95% of the cases. In the following chapters we explain how to use it.

Note: dev.gentoo.org is currently using ldap2.gentoo.org as its first server so any update you do could take up to 60 seconds for being seen on dev.gentoo.org. We use nscd (Name Service Caching Daemon) to cache negative and positive lookups. This means that your changes may not become active for some time. If you need to force the change we can restart nscd for you. Ask in #gentoo-infra for help with this. Additionally, we use nsscache to provide resiliency against LDAP servers being temporarily unavailable for NSS lookups, but we do NOT keep local copys of SSH keys.

Available Attributes

The following attributes are included in the Gentoo Schema. Note the 'Access Level' needed to write each attribute. Anonymous reading is allowed unless otherwise noted. Required fields are emphasised.

Attribute Name	Access Level	Description	Type	Format
birthday	user (not globally readable)	developer birthday	single, optional	UTF-8
gentooAccess	infra, top level recruiters only	developer access level	multiple, required	UTF-8
gentooAlias	infra, recruiters	alternate names for this developer	multiple, required	UTF-8
gentooGPGFingerprint, gpgfingerprint	user	GPG key fingerprint	multiple, optional	UTF-8
gentooGPGkey, gpgkey	user	GPG key uid	multiple, required	UTF-8
gentooIM	user	instant messaging ID	multiple, optional	UTF-8
gentooJoin	infra, recruiters	developer join date	multiple, required	UTF-8
gentooLatitude, lat	user	latitude coordinate	single, optional	signed decimal string
gentooLocation	user	developer location	single, required	UTF-8
gentooLongitude, lon	user	longitude coordinate	single, optional	signed decimal string
gentooRetire	infra, recruiters	developer retirement date	multiple, optional	UTF-8
gentooRoles	user	developer projects	single, required	UTF-8
gentooStatus	infra, recruiters	developer status	single, required	UTF-8
sshPublicKey	user	OpenSSH public key	multiple, required	UTF-8

Note: All dates must be formatted as ISO8601, YYYY/MM/DD.

The following attributes were in use at some point in the past, but have been retired: gentooHerd, gentooAltMail, gentooForumsUID.

LDAP aware servers

Server Name	Alias	Status
dunlin.gentoo.org	ldap1.gentoo.org	LDAP Master Server, LDAP client: accounts, sudo, ssh
duck.gentoo.org	ldap2.gentoo.org	LDAP Slave Server
corvid.gentoo.org	ldap3.gentoo.org	LDAP Slave Server
puffin.gentoo.org	ldap4.gentoo.org	LDAP Slave Server
woodpecker.gentoo.org	dev.gentoo.org	LDAP client: accounts, sudo, ssh
stork.gentoo.org	cvs.gentoo.org	LDAP client: accounts, sudo
sparrow.gentoo.org	torrents.gentoo.org	LDAP client: accounts, sudo, ssh
hornbill.gentoo.org	bugs-web1.gentoo.org	LDAP client: accounts, sudo, ssh
hummingbird.gentoo.org	bugs-web2.gentoo.org	LDAP client: accounts, sudo, ssh
gannet.gentoo.org	forums-web1.gentoo.org	LDAP client: accounts, sudo, ssh
godwit.gentoo.org	forums-web2.gentoo.org	LDAP client: accounts, sudo, ssh

LDAP management with perl_ldap

These are the main concepts of the perl_ldap script used for user administration. Invoking perl_ldap without arguments shows a nice help. Your own dev.gentoo.org password is asked when binding.

The script is the infra supported method for managing entries, nothing prevents you from using any LDAP browser you like for modifying your attributes. If you like to use something else, ask infra for connection details but keep in mind that we won't support and/or troubleshoot other browsers issues.

The following are the most common options.

-b MODE used to bind to the LDAP server. If you don't specify user, the script will default to anonymous and be read only.
-s <username> shows the entire LDAP record for the user username
-S ATTRIBUTE searches for a specific attribute across all users
-M ATTRIBUTE NEWVALUE <username> overwrites the value of an attribute for the specified user
-C ATTRIBUTE NEWVALUE <username> creates a new attribute for the specified user
-E ATTRIBUTE OLDVALUE <username> erases an attribute

3. Examples

Users

Gentoo Developers and Staff members (recruiters and infra please refer to the following sections) can update their LDAP record directly. Here are examples of the most commonly changed attributes. The most common error is using a actual username in place of the -b MODE argument, which takes user as the parameter.

Code Listing 3.1: Show attributes for a user entry

(Substitute an actual user name for <username>)
# perl_ldap -s <username>

(Binding as 'user' mode will show additional information.
Only replace <username>, not "user")
# perl_ldap -b user -s <username>

Code Listing 3.2: Change your roles

# perl_ldap -b user -M gentooRoles "<role string>" <username>

Code Listing 3.3: Change your GPG key

(Substitute your GPG key id <keyid>, with the leading 0x included)
# perl_ldap -b user -C gentooGPGkey "<newkeyid>" <username>
# perl_ldap -b user -E gentooGPGkey "<oldkeyid>" <username>

Code Listing 3.4: Add a new public SSH key

(substitute 'pubkey' with the path to your public SSH key. ex: "~/.ssh/id_dsa.pub". 
You should have one sshPublicKey attribute per key! No newlines!
Only replace <username>, not "user")
# perl_ldap -b user -C sshPublicKey "$(cat pubkey)" <username>

Code Listing 3.5: Erase an old public SSH key

# perl_ldap -b user -E sshPublicKey "$(cat oldpubkey)" <username>

Recruiters

Recruiters can change their own attributes or those of another user. You must bind as recruiters to change any attributes including your own. The following examples show how to change attributes for other users. To change your own attributes use the examples from the "users" section above but bind as a recruiter.

When dealing with users that belong to a sub-OU the -o OU option must be used, this will be clarified in the examples. The command -o OU must be used if the target user belongs to a sub-OU.

The following examples will show you how to change attributes for users, recruiters and infra. All write operations performed by infra against another user must be performed on dev.gentoo.org (woodpecker.gentoo.org).

Some attributes, like sshPublickey, and mail, allow multi-values. To append an additional value to the exiting ones use -C. You may not use -M with multi-valued attributes.

Code Listing 3.6: Modify (overwrite) an existing attribute for a user

# perl_ldap -b user -M gentooGPGkey "0x1AF343EB" <username>

Code Listing 3.7: Delete an attribute for a user

# perl_ldap -b user -E mail "myoldaddress@example.com" <username>

Code Listing 3.8: Add a new user (infra, recruiters)

# perl_ldap -b user -A <username>

Code Listing 3.9: Delete a user (infra)

# perl_ldap -b user -D <username>

Code Listing 3.10: Create or modify multi-value attributes

(Create a new attribute while preserving the existing ones. 
Use the command multiple times to add addtional attributes)
# perl_ldap -b user -C mail "myaltaddress@example.com" <username>
# perl_ldap -b user -C mail "backup@example.com" <username>

Code Listing 3.11: Reset a user password

(Only available to senior recruiters and infrastructure admins in the
useradmin group on woodpecker, as well as either the recruiters or
infra-ldapadmin groups in LDAP. You will be prompted for YOUR password. The new
user password will NOT be shown to you, it will only be placed in
/home/<username>/passwd.)
# sudo /usr/local/bin/newpasswd <username>

Infra

Infra can change their own attributes or those of another user. You must bind as user to change any attributes, including your own. To change your own attributes use the examples from the "users" section above from any LDAP-aware machine. To change another users record, you must be using perl_ldap from ldap1.gentoo.org (dunlin.gentoo.org).

The attribute gentooAccess controls which boxes a user can login to. Only infra and a few selected recruiters are allowed to create and modify this multi-value attribute. The FQDN must be used (ex. roadrunner.gentoo.org). Some special values also exist: infra.group, infra-ldapadmin.group, infra-cvsadmin.group, infra-system.group, recruiters.group.

4. Resources

Master LDAP Server - ldap1.gentoo.org
Slave LDAP Server - ldap2.gentoo.org
Slave LDAP Server - ldap3.gentoo.org
Slave LDAP Server - ldap4.gentoo.org
LDAP HOWTO

If you have issues, questions or encounter errors please contact the Gentoo Infrastructure Team.

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

Updated November 10, 2009

Summary: Guide to using the Gentoo Infrastructure LDAP system for developers, recruiters and administrators.

Andrea Barisani
Author

Robin H. Johnson
Author

Luis Medinas
Editor

Curtis Napier
Editor

Donate to support our development efforts.