The LDAP Servers are: Primary: fluffy.socs.uoguelph.ca Secondary: norberta.socs.uoguelph.ca backup: fang.socs.uoguelph.ca (Not currently set up)

Fluffy and Norberta are virtual machines located on two servers on the rack in Reynolds 115. Fluffy is running on Bones, and Norberta on Perkins. Both servers are labelled. Their consoles are accessible by entering the following address on any machine connected to the mgmt netowrk. The command is “cp-<hostname>.mgnmt.socs.uoguelph.ca”, where hostname is the name of the physical machine they are on. From there, run the command “sudo lxc-console -n <hostname>”, where hostname is the LDAP VM. Fang is located in a locked cabinet in Thorn 2421. All servers are accessible via SSH from snowhite.socs.uoguelph.ca. Norberta and Fang will also accept SSH connections from fluffy.

The only way to tell conclusively if the LDAP is running is to go into the LDAP server and and check to see if slapd is running using ps. The general symptom of an LDAP failure is multiple unrelated systems having authentication issues. So if you're getting complains about the file server, web server, terminal servers, svn etc having authentication issues at the same time, it's usually a pretty good indication of an LDAP failure.

Rebooting the machine or executing the following command as root will do the trick:

/etc/init.d/slapd restart

The ldap is used to store information for SoCS user accounts and groups, as well as the DHCP and DNS databases.

User accounts are all stored in the ou=People organizational unit. They are grouped together by UID number as follows:

• Faculty and Staff: 2000-3999
• Graduate Students: 4000-4999
• Undergraduate Students enrolled in a non-service course: 5000-9999
• Undergraduate Students only enrolled in a service course: 10000+
• Guest accounts: 28000+

LDAP Groups are stored in the ou=Groups organizational unit. The SoCS LDAP users the “memberUid” convention for group memberships and does not support “memberOf”. The SocS LDAP Contains groups for faculty, staff, grads and undergrads, courses, course TAs, and staff roles. Their organization is as follows:

• Faculty: cn=faculty
• Staff: cn=csstaff
• Undergraduates: cn=undergrad
• Graduates: cn=grad

• Courses: cn=cs#### where #### is the course ID of the course. Course groups have a GID number of 3### where ### is the first three digits of the course code

DHCP information is kept in the ou=DHCP organizational unit. There are two SoCS networks, one public and one private stored with in the DHCP. They have the following spaces:

• SoCS Public cn=131.104.48.0,cn=SOCS,ou=DHCP,dc=socs,dc=uoguelph,dc=ca
• SoCS Private cn=192.168.100.0,n=SOCS,ou=DHCP,dc=socs,dc=uoguelph,dc=ca

Each networks has a DHCP pool, under the cn=pool organizational unit, as well as static DHCP leases for particular hosts under cn=<HOSTNAME>,cn=hosts

The DHCP server automatically pulls the updated information as soon as it has been saved in the LDAP database.

DNS for the socs.uoguelph.ca and reverse DNS for the 131.104.48.0/23 and 192.168.100.1/24 subnets is stored in the LDAP. It is within the ou=DNS organizational unit.

After a DNS entry is entered into the dns, the relativeDomainName=@ for each modified DNS zone must have the version number updated. From there the DNS server will update the database everyone hour, on the hour. Running /usr/local/sbin/update-zone.sh will force the database refresh to happen.

First, create a new computer object in Active Directory.

dsadd computer \"cn=${COMPUTERNAME},${COMPUTER_OU}\" -samid ${COMPUTERNAME}\$

Create the SPNs for the host and any services/accounts.

For the host SPN:

ktpass /princ host/${COMPUTERNAME}.socs.uoguelph.ca@CFS.UOGUELPH.CA /out ${COMPUTERNAME}.keytab /crypto All /ptype KRB5_NT_PRINCIPAL -desonly /mapuser CFS\\${COMPUTERNAME}\$ +setupn +rndPass +setpass +answer

For additional SPNs:

ktpass /princ <service>/${COMPUTERNAME}.socs.uoguelph.ca@CFS.UOGUELPH.CA /in $(EXISTING_KEYTAB} /out ${COMPUTERNAME}.keytab /crypto All /ptype KRB5_NT_PRINCIPAL -desonly /mapuser CFS\\${COMPUTERNAME}\$ -setupn /pass -setpass +answer

There's a script to do all this in Kyle's home folder put it somewhere central