IAM appliance - iam-app-directory-server

RPM package with OpenLDAP container (openldap-docker) to be used as a primary user store for CAS Access Manager. The container originally comes from osixia/openldap-backup but we have our own fork.

The czechidm and cas services depend on this package.

RPM is built "the usual way" using the bcv-rpmbuild container.

Service

This RPM adds directory-server service into the IAM appliance.

Directory structure

  • /data/volumes/directory-server/data - OpenLDAP MDB database

  • /data/volumes/directory-server/config - OpenLDAP OLC (configuration) database

  • /data/volumes/directory-server/secrets-pwfiles - bootstrap password for admin and readonly users cn=admin,dc=iamappliance (user administration), cn=admin,cn=config (config administration), cn=cas,dc=iamappliance (read-only user for CAS). If the password don’t exist, package creates them automatically during its installation.

  • /data/volumes/directory-server/secrets-certs - LDAPS certificate and private key. There are also a chain.pem and dhparam.pem files. DHparam file is generated automatically during the first start of the container.

  • /data/volumes/directory-server/secrets-enc - Encrypted backups key ldap-backup-symkey.pwfile is located here. File is generated automatically if it does not exist.

  • /data/volumes/directory-server/backup - Backups are stored here.

  • /data/logs/directory-server - Logs are stored here.

    • This directory must have correct SElinux labels. RPM package installation script handles this automatically by executing semanage fcontext …​.

Configuration files

  • /data/registry/node-active-config/docker-compose-directory-server.yml - container compose file

  • /etc/rsyslog.d/10_directory-server.conf - syslog configuration for the container to send logs to dedicated files on the filesystem

  • /etc/logrotate.d/directory-server - logrotate configuration

Controlling the service

  • systemd unit is located in /usr/lib/systemd/system/iam-directory-server.service so the command systemctl start/stop/enable/disable works as expected.

  • Start of the service calls docker-compose …​ up, which starts/creates/recreates the container as needed.

  • Backups

    • Periodic backups are executed once a day by systemd timer /usr/lib/systemd/system/iam-directory-server-backup.timer and /usr/lib/systemd/system/iam-directory-server-backup.service unit.

    • Backup can be executed manually with systemctl start iam-directory-server-backup.service.

    • Backups are compressed.

    • Backups older than 7 days are automatically deleted.

    • Restore from backup needs manual action of the administrator.

Dependencies

  • Service does not have any installation dependencies.

  • Service does not have any runtime dependencies.

Kinks and quirks

  • First start of the container initializes whole slapd instance. Its configuration is directly in the cn=config inside the LDAP server. Static files in /etc/ldap/schema are used only during this initialization phase and have no other effect.

  • Auto-generation of dhparam.pem (and other files) is done only on the first init of the LDAP database.

  • Container contains runit, cron, slapd and syslog-ng so it does not conform to our container requirements wiki. But it is the only sensible way of doing LDAP recovery with running container and stopped slapd.

Backup and restore

  • Make sure you have correct backup. Create special new backup right before the restore operation to preserve original (even if undesirable) state.

  • If you use encrypted backups and you are planning to change the encryption key, save the original ldap-backup-symkey.pwfile so you can still access your historical backups.

  • Use slapd-backup-config and slapd-backup-data to backup the LDAP server.

  • Use slapd-restore-config and slapd-restore-data to restore the LDAP server. Those scripts use slapadd internally and you must delete the original LDAP databases beforehand. Whole restore procedure then looks like this:

    root@directory-server:/# rm -r /etc/ldap/slapd.d/cn*
root@directory-server:/# /sbin/slapd-restore-config 20210204T090611-config.gz
root@directory-server:/# rm /var/lib/ldap/*
root@directory-server:/# /sbin/slapd-restore-data 20210204T090615-data.gz

    Encrypted backup have .gz.e suffix.