With all the configurations ready, it’s time to create the first structures of our LDAP.
This first structure I will create the groups:
- UserGroups: For normal users.
- AdminGroups: For users who are in some way Admin
- SecurityGroups: To organize User Groups (memberOf)
- ServiceGroups: Users that will only be used by services, for example, GitLab authenticating to Jenkins, etc.
I will also create a GitLabGroup group, which will contain all users who will have access to GitLab. This sub-group, as described above, must be within the SecurityGroups group mater
For now, I will only create my user and add it as a memberOf the GitLabGroup.
Remember the LDAP settings:
Create the LDIF file with the following structure: (initial-devops-db.ldif)
mkdir /work/initial_users/
cat << EOL > /work/initial_users/initial-devops-db.ldif
## OUs
dn: ou=AdminGroups,dc=ldap,dc=devops-db,dc=info
objectclass: organizationalUnit
ou: AdminGroups
dn: ou=SecurityGroups,dc=ldap,dc=devops-db,dc=info
objectclass: organizationalUnit
ou: SecurityGroups
dn: ou=ServiceGroups,dc=ldap,dc=devops-db,dc=info
objectclass: organizationalUnit
ou: ServiceGroups
dn: ou=UserGroups,dc=ldap,dc=devops-db,dc=info
objectclass: organizationalUnit
ou: UserGroups
## Default human User Group
dn: cn=AllUsers,ou=SecurityGroups,dc=ldap,dc=devops-db,dc=info
cn: AllUsers
gidnumber: 10000
objectclass: posixGroup
## Users
dn: cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info
cn: Fausto Branco
gidnumber: 10000
givenname: Fausto
homedirectory: /home/fbranco
loginshell: /bin/bash
objectclass: posixAccount
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
sn: Branco
uid: fbranco
uidnumber: 10000
userpassword: "1234qwer"
## Group MemberOf
dn: cn=GitLabGroup,ou=SecurityGroups,dc=ldap,dc=devops-db,dc=info
member: cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info
objectclass: groupOfNames
EOL
At this point, you can run the ldapadd command from a host other than the ldap itself, if you use the url without TLS, no problem, if you are going to use it with TLS, remember to have configured the certificate on the host.
$ ldapadd -x -H ldaps://ldap.devops-db.info:636 -D "cn=admin,dc=ldap,dc=devops-db,dc=info" -f /work/initial_users/initial-devops-db.ldif -w "JbBmKx#lK@ZX4*amqd5l"
adding new entry "ou=AdminGroups,dc=ldap,dc=devops-db,dc=info"
adding new entry "ou=SecurityGroups,dc=ldap,dc=devops-db,dc=info"
adding new entry "ou=ServiceGroups,dc=ldap,dc=devops-db,dc=info"
adding new entry "ou=UserGroups,dc=ldap,dc=devops-db,dc=info"
adding new entry "cn=AllUsers,ou=SecurityGroups,dc=ldap,dc=devops-db,dc=info"
adding new entry "cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info"
adding new entry "cn=GitLabGroup,ou=SecurityGroups,dc=ldap,dc=devops-db,dc=info"
Now, do an ldapsearch and validate the creation of the user, note that at the end of the bash command, there is a + sign, it is necessary for ldapsearch to return all attributes, in this case, we are mainly looking for memberOf
ldapsearch -v -x -H ldaps://ldap.devops-db.info:636 -b "cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info" -D "cn=admin,dc=ldap,dc=devops-db,dc=info" -w "JbBmKx#lK@ZX4*amqd5l" +
The return should be something as described below, see that the user is a memberOf the GitLabGroup group.
ldap_initialize( ldaps://ldap.devops-db.info:636/??base )
filter: (objectclass=*)
requesting: +
# extended LDIF
#
# LDAPv3
# base <cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info> with scope subtree
# filter: (objectclass=*)
# requesting: +
#
# Fausto Branco, UserGroups, ldap.devops-db.info
dn: cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info
structuralObjectClass: inetOrgPerson
entryUUID: 91aff622-8a4b-103e-9854-b56c07f2fb8e
creatorsName: cn=admin,dc=ldap,dc=devops-db,dc=info
createTimestamp: 20240408232920Z
entryCSN: 20240408232920.246905Z#000000#000#000000
modifyTimestamp: 20240408232920Z
memberOf: cn=GitLabGroup,ou=SecurityGroups,dc=ldap,dc=devops-db,dc=info
modifiersName: cn=admin,dc=ldap,dc=devops-db,dc=info
entryDN: cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
A normal search should have this result, where you can even see the uid, which will be used in logins by the services and VMs that will follow.
ldapsearch -v -x -H ldaps://ldap.devops-db.info:636 -b "cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info" -D "cn=admin,dc=ldap,dc=devops-db,dc=info" -w "JbBmKx#lK@ZX4*amqd5l"
ldap_initialize( ldaps://ldap.devops-db.info:636/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Fausto Branco, UserGroups, ldap.devops-db.info
dn: cn=Fausto Branco,ou=UserGroups,dc=ldap,dc=devops-db,dc=info
cn: Fausto Branco
gidNumber: 10000
givenName: Fausto
homeDirectory: /home/fbranco
loginShell: /bin/bash
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
sn: Branco
uid: fbranco
uidNumber: 10000
userPassword:: XXXXXXXXXXXXX
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Leave a Reply