Jump to content

User:BryanDavis/LDAP

From Wikitech
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Notes on using LDAP.

Easy CLI queries

I have a shell alias for running ldapsearch which tells it to use paginated queries with a large page size, no prompting before fetching the next page, and no line wrapping: 

$ alias ldap='ldapsearch -xLLL -P 3 -E pr=5000/noprompt -o ldif-wrap=no -b"dc=wikimedia,dc=org"'
$ ldap uid=bd808 cn
dn: uid=bd808,ou=people,dc=wikimedia,dc=org
cn: BryanDavis

Decoding base64 entries

LDAP returns non-ascii values as base64 encoded strings. Developer accounts with unicode characters in their cn (wikitech username) values are a common example of this in our directory tree. Ldapsearch displays base64 values with two colons after the attribute name. I have a shell alias that ldapsearch results can be piped through which looks for these double colons and decodes the string. 

$ alias un64='awk '\''BEGIN{FS=":: ";c="base64 -d"}{if(/\w+:: /) {print $2 |& c; close(c,"to"); c |& getline $2; close(c); printf("%s:: \"%s\"\n", $1, $2); next} print $0 }'\'''
$ ldap uid=smccandlish displayName
dn: uid=smccandlish,ou=people,dc=wikimedia,dc=org
displayName:: 4oCUIDxmb250IGZhY2U9IlRyZWJ1Y2hldCBNUyI+JycnW1tVc2VyOlNNY0NhbmRsaXNofFNNY0NhbmRsaXNoXV0nJycgJm5ic3A7PHNwYW4gc3R5bGU9IndoaXRlLXNwYWNlOm5vd3JhcDsiPltbVXNlciB0YWxrOlNNY0NhbmRsaXNofFRhbGvih5JdXSDJljxzdXA+PGJpZz7iip08L2JpZz48L3N1cD7XmzxzdXA+4oqZPC9zdXA+w74gPC9zcGFuPiA8c21hbGw+W1tTcGVjaWFsOkNvbnRyaWJ1dGlvbnMvU01jQ2FuZGxpc2h8Q29udHJpYi5dXTwvc21hbGw+PC9mb250PiA=
$ ldap uid=smccandlish displayName | un64
dn: uid=smccandlish,ou=people,dc=wikimedia,dc=org
displayName:: "— <font face="Trebuchet MS">'''[[User:SMcCandlish|SMcCandlish]]''' &nbsp;<span style="white-space:nowrap;">[[User talk:SMcCandlish|Talk⇒]] ɖ<sup><big>⊝</big></sup>כ<sup>⊙</sup>þ </span> <small>[[Special:Contributions/SMcCandlish|Contrib.]]</small></font> "

Manual changes

ldap-modify.sh
#!/usr/bin/env bash
set -euxo pipefail
LDIF=${1:?Expected LDIF file to apply}

ldapmodify -v \
    -H 'ldap://ldap-rw.eqiad.wikimedia.org:389' \
    -D 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' \
    -y .ldap-password \
    -f $LDIF

$ ldap-modify.sh $LDIF_FILE

One way to find the password for uid=novaadmin is in the /etc/mediawiki/WikitechPrivateSettings.php file on a cloudweb server.

Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=User:BryanDavis/LDAP&oldid=2138972"