ldap by hosts

These are some things I recently ran into when trying to restrict a certain ldap user to a certain number of hosts.

For example, at the school we have a cluster where we may only want the parallel processing students to have access, cadence where we may only want vlsi students to have access, and our main server where we want everyone to have access.

Here’s the preliminary way that seems to work.  Here, I assume most of your ldap is setup.

First, add the account objectclass to your user.  You may need to do some mangling here (for example if you use the inetorgperson objectclass).  You can create your own joined schema for this.  The reason you want the account objectclass is so you have access to the host attribute.

Next, for every user, add the restricted hosts you want that user to have access to.  For example, for the cluster I add a host=skynet.coe.isu.edu attribute.

Finally, on skynet.coe.isu.edu, in ldap.conf, add

pam_check_host_attr yes
pam_filter |(host=skynet.coe)

Then on our main server do not add these, as these entries only restrict access to users with the applicable host attributes.

The easiest way to backup an ldap database


There are a lot of ways to do this, and I have experimented with several.

For example, you can copy the master’s database files to the replica.  But this comes with some restrictions. 1. Both hosts must have compatible versions of the dbm libraries2 both hosts must be roughly the same architecture 3 some methods of copying sparse dbm files (eg copy) will fill in the holes, making the files larger.

A more general way to backup  an ldap database or to replicate the db is slapcat.  eg.

root@master # slapcat -b “dc=myldap,dc=org” -l backupcontents.ldif
#… copy backupcontents.ldif to backup or slave
#Then, to restore or add or whatever
root@slave # slapadd -l backupcontents.ldif

Get Mail List from LDAP

Although bash is my first scripting language, it seems I am becomming more and more of a python convert. Today I needed to send an email to everyone with an account on my ldap server. Normally, I would have used something like sed and bash. Although I did still end up using bash, I forced myself to write the regular expression part in python.

The idea with languages like python is to make it so that it’s easier to write your own bit of code to do what you want than it would be to find someone else’s code and use it. This code is probably pretty useless to most people. It is not even a little efficient. But who knows, I may help a budding sysadmin who is just starting to write his own scripts. And by blogging it, hopefully I know where to find it for next time.

Here is the script to pull out user’s email addresses, one per line (which is exactly the type of file my mail client will accept to make an email list):


This program was written to get all the email addresses from raw input
and print them onto the screen
import re
    while 1:
            line = raw_input() + 'n'
            string = re.search(r"(w*.)?w*@w*.w*",line)
                print string.group()

        #this should only happen on the last iteration

I ended up just using some trivial bash stuff to do some of the processing, although this would be pretty easy to have built into the python, but it was even easier to just put it in good old familiar and unmanagable bash.

slapcat | ./mailfind.py | sort | uniq

Awesome. Now I have my mail addresses to use for my black-market viagra selling business.