Ldap

UGCS uses ldap to handle all of our "directory" information, including users, home directories, UIDs, etc. We have two ldap servers that are supposed to keep each other sync'd: hera is our main server, and zeus is the slave.

Authentication to edit ldap comes from Kerberos/GSSAPI. Sysadmins have full access to change everything, other users can only edit their own records.

ldapmodify is a very useful command that lets you input LDIF to update anything in ldap. Ldapedit is a custom command we wrote that makes it easier to update your own settings.

Hera backs up its database once a day into a format that can be stored by other backup mechanisms (otherwise just backing up the raw bdb will be garbage)

See also Ldap_Schema for customized LDAP schemas that we have.

Our LDAP servers are listed in a few places on each machine. Each file is distributed by cfengine. They are:
 * /etc/ldap/ldap.conf This contains the default server for ldapsearch operations
 * /etc/libnss-ldap.conf This contains the ldap servers for use with NSS lookups (usernames, uids, etc)

Nagios tests

 * LDAP connection- makes sure it can bind to the db
 * LDAP backups (hera only)- make sure the database has been backed up recently
 * LDAP sync- checks to make sure that the sync connection is working

Replication
NSS has ldap-head as a primary server, and ldap-backup as a secondary. However, there is a 5-sec timeout- if the server is up but ldap is down, this shouldn't be an issue, but if the server is nowhere to be found, you may have to wait for the timeout each time. It's kinda a pain but it works. Postfix on hermes relies on ldap-head only as it doesn't seem to do ldap replication correctly.