LDAP Server Management

The ldap users certificates signed by the SoCS Certificate Authority for SSL/TLS Connections. They must be renewed periodically. Modern certificates no longer use common name (CN), and prefer subject alternative name (SAN). Rancher will not allow login without SAN cert. Use the following same req.conf to create a config file for each certificate (replace peeves are required).

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CA
ST = ON
L = Guelph
O = University of Guelph
OU = School of Computer Science
CN = peeves.socs.uoguelph.ca
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = peeves.socs.uoguelph.ca

openssl x509 -req -in ldapserver.csr -CA socs-cacert.pem -CAkey socsCA.key -CAcreateserial -out ldapserver.crt -days 500 -extfile req.conf -extensions 'v3_req'

• Ensure the following package is installed if it is not: libarchive-zip-perl
• Open the offending file in vim and remove the top two lines

# AUTO-GENERATE-FILE ...
# CRC32 #########

• run crc32 against the offending file
• Replace the top two lines removed from the file including the updated crc

• Open the cn=config ldap database on the server

  ldapvi -h ldap:/// -D cn=admin,cn=config -w <ldap_password> -b dc=config

• Modify the ldap database though a file

  ldapmodify -H ldapi:/// -x -D cn=admin,dc=config -W -f <path_to_ldif_file>

• Open the LDAP database for modifying entries

  ldapvi -h peeves.socs.uoguelph.ca -D cn=admin,dc=socs,dc=uoguelph,dc=ca

1. Run the “ldap-free-uidNumber.py” script. It will return the first available uidNumber for a new Staff/Faculty or Grad student
2. Make a copy of the appropriate ldif template. They are found in the scripts folder in ldif-samples
3. Search and replace the following fields
   • username
   • firstname
   • lastname
4. Set the uidNumber to the uidNumber you found in the first step
5. Set the room number if appropriate
6. set the phone number if appropriate
7. set the title if appropriate
8. Save the file.
9. Run the ldapadd command with the ldap server parameters, and with the file you just created. The ldap account is now created.
10. Edit fs-home-create.sh. Uncomment the “ProcessGroup” line for type of account of the newly created user.
11. Run the script directly on the file server.