Notes on ZachFi

Adding LDAP Replication

Sun, 06 Jun 2021 16:13:02 -0700

https://tylersguides.com/guides/openldap-multi-master-replication/

Build the new jail

bastille create auth12 13.0-RELEASE 2001:n0p3:n0p3:20::123/120 lo1
bastille template auth12 larch/puppet

Copy the backup files to the new host.

cp /usr/local/bastille/jails/auth11/root/var/backups/ldap{,_confg}.db ~zach/

Move the files into place.

mv ~zach/ldap{,_config}.db /usr/local/bastille/jails/auth12/root/var/backups/
bastille console auth12

service slapd stop
rm /usr/local/etc/openldap/slapd.conf
rm -rf /usr/local/etc/openldap/slapd.d/*
slapadd -F /usr/local/etc/openldap/slapd.d/ -n0 -l /var/backups/ldap_config.ldif
slapadd -F /usr/local/etc/openldap/slapd.d/ -n1 -c -l /var/backups/ldap.ldif
service slapd start

Load the module.

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov

Add all of the peers.

Schema troubles

Mon, 17 Feb 2020 14:30:18 -0800

Auth8 has been loosing some custom schema for some reason I haven’t been able to identify. I’m wondering if some upgrade caused some issue when I didn’t handle the upgrade properly, so perhaps loading the database from backup is the right move.

First, create a new jail for auth9 on olaf.

profile::jail::host::jails:
  auth9:
    ip4_addr: "%{hiera('profile::jail::host::default_interface')}|172.16.20.111/27"
    ip6_addr: "%{hiera('profile::jail::host::default_interface')}|2001:111:1111:20::515/120"
    properties:
      host_domainname: "l.znet"

Spin up the jail and sign the cert.

Replacing the auth jails

Sat, 29 Aug 2015 00:00:00 +0000

Reuk has been having trouble, and as I move to iocage I no longer want to dance around the idea that reuk is running a set of jails configured in one way, and the rest of my prod systems are running iocage in a different way. This will will remove the old style jails and convert everything to use iocage. These two jails (auth2 and auth3) both sit on reuk currently, and are some of the last to be converted because my jail provisioning system uses ldap as the data storage mechanism.

Crash Recovery

Thu, 14 May 2015 00:00:00 +0000

I’ve been moving from an internal ldap module to one in Puppet Labs. Through this process I’ve forgotten about sasl. Installing the openldap-client package on the system and upgrading heimdal to the latest version caused the packages to come from upstream repositories that do not have the custom options necessary to glue together heimdal and openldap.

ACL Recovery

Sun, 12 Oct 2014 17:26:31 +0000

I have managed to break everything.

Ensure /etc/hosts contains both IPv6 and IPv4 for the FQDN of the local server.

Don’t fuck up the ACL. Ensure that you allow unknown users to at least authenticate.

Configuration updates

Mon, 28 Apr 2014 21:27:26 +0000

The flags need modifying in rc.conf. For setting up auth3.znet, I needed the following:

slapd_flags='-h "ldaps://10.210.18.36/ ldaps://auth3.znet"'

This needs to contain the URL that is used as the olcServerID in the cn=config, otherwise slapd will not start.

SASL configuration

Sun, 02 Mar 2014 12:22:21 +0000

To allow passwords like {SASL}zach@ZNET for SASL pass-through, the correct permissions are needed.

chown :ldap /var/run/saslauthd

SASL config updates

Sat, 01 Mar 2014 17:06:24 +0000

Need to add:

pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux

to /usr/local/lib/sasl2/slapd.conf

ldapsearch -x -H ldaps://auth2.znet -b "" -s base supportedSaslMechanisms

Complete Redeploy

Mon, 17 Feb 2014 00:00:00 +0000

After applying puppet to install the needed packages and make sure the directories and such are in place, I used the fabric job build_new to deploy auth2.l.znet. The following was performed to get the server ready to serve clients.

The rc.conf configuration on the auth boxes have the following manual additions.

kerberos5_server_enable="YES"

slapd_enable="YES"
slapd_cn_config="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldaps://[2001:111:1111:1ab::18:4111]/ ldaps://10.210.18.35/"'
slapd_sockets="/var/run/openldap/ldapi"
slapd_krb5_ktname="/etc/krb5.keytab"

saslauthd_enable="YES"
saslauthd_flags="-a kerberos5"

Kerberos

Setting up the kerberos slave was pretty simple. On all slave kerberos servers, the following has been added to inetd.conf.