Directory server LDAP

A part of the IAM appliance (since version 0.6) is a directory server OpenLDAP. This is used by the appliance itself but it can also be used to supply data to other infrastructure applications, e. g., authentication servers (RADIUS, etc.), Linux-based operating systems, external access managers, etc.

Directory server control

In IAM appliance, the directory server is a service called iam-directory-server.service. This service is controlled in the same way as other appliance services using a systemctl command. The directory server service must always be up, otherwise users will not be able to authenticate to other services of the appliance.

LDAP has its own database which is regularly backed up.

  • iam-directory-server-backup.service - A service creating backups, its part is backup retention. It creates two backup files, configuration backup and data backup.

  • iam-directory-server-backup.timer - A configuration of the scheduled task. It defines the interval in which iam-directory-server-backup.service is run.

Backup status

Backups are created in directory /data/volumes/directory-server/backup/ as gzipped LDIF files. The status of the backup task can be found using these commands:

[root@localhost ~]# systemctl status iam-directory-server-backup.service
[root@localhost ~]# systemctl status iam-directory-server-backup.timer
[root@localhost ~]# systemctl list-timers --all

Enable regular backups

To enable regular backups, run the timer and enable its automatic start at the OS start. Disable it the same way but use the stop and disable commands.

[root@localhost ~]# systemctl start iam-directory-server-backup.timer
[root@localhost ~]# systemctl enable iam-directory-server-backup.timer

Backup can be created ad-hoc by manually running the service iam-directory-server-backup.service. The service will first do a backup retention, and then it will create a new backup.

Recover from backup

Recovery needs to be performed manually. During recovery, user authentication and their profile data are unavailable. Already logged-in users can still work with the appliance. Some applications (e.g., CzechIdM) will notify the user that the directory server is unavailable.

The recovery process usually takes several minutes.

  1. Switch to the directory server container.

    [root@localhost ~]# docker exec -it directory-server bash

  2. Check that backups are visible in the container and choose backups which you want to recover.

    root@directory-server:/# ls -l /data/backup/
total 28
-rw-------. 1 root root 23052 Mar  2 11:46 20210302T114658-config.gz
-rw-------. 1 root root   742 Mar  2 11:46 20210302T114659-data.gz

  3. Recover the LDAP configuration backup. The restore script expects the backup name without specifying the path to the file.

    root@directory-server:/# rm -r /etc/ldap/slapd.d/cn*
root@directory-server:/# /sbin/slapd-restore-config 20210204T090611-config.gz

  4. Recoved the LDAP data. The restore script expects the backup name without specifying the path to the file.

    root@directory-server:/# rm /var/lib/ldap/*
root@directory-server:/# /sbin/slapd-restore-data 20210204T090615-data.gz

Backup encryption

This function is available in iam-app-directory-server since version 0.2-0. It can only be used with a container image bcv-openldap:1.4.0-r2 or newer. The image version can be found in the service configuration (file /data/registry/node-active-config/docker-compose-directory-server.yml).

During the update installation a new encryption key for backups is generated. This key is unique and can be used immediately. However, if you want to change it, you can do so by running the following command.

[root@localhost ~]# openssl rand -base64 32 > /data/volumes/directory-server/secrets-enc/ldap-backup-symkey.pwfile

Backup encryption needs to be activated at the container level.

  1. Edit the file /data/registry/node-active-config/docker-compose-directory-server.yml.

    • Set the variable LDAP_ENCRYPT_BACKUP to value true.

  2. Stop the CAS service using systemctl stop iam-cas.

  3. Restart the LDAP service using systemctl restart iam-directory-server.

  4. Start the CAS service using`systemctl start iam-cas`.

  5. The next backup created will be encrypted.

You can tell that a backup is encrypted by its file suffix. Unencrypted backups have the suffix .gz, encrypted ones have suffix .gz.e. Recovery from an encrypted backup is done in the same way as with unencrypted backups. The recovery scripts can recognize that a backup is encrypted and they will attempt to decrypt it using the key available.