After drooling over the setup that Active2 and JGC have created based on LDAP, I’ve decided to install my very own LDAP server. Normally one would connect several services directly to the LDAP server. This has one major drawback, namely if your LDAP service is down, all your services are down. For big LDAP installations, where there’s room for multiple slave LDAP servers, this isn’t really a problem, but for my network where I can afford to run one instance of LDAP, this is a problem.

Since I do want my services to work based on configuration info out of LDAP, I’ve written several scripts that update various configurations throughout my network, but I still needed to manually start the updater scripts. This was not a preferred solution, since I want to have stuff update in (semi)real-time. So I’ve written a small script, which reads the ldap logfile, and runs another script when there’s an ADD, DEL or MOD action made on a certain DN.

Download: ldapdispatch

To use this script, make sure you’ve installed and configured syslog-ng to process the ldap logfile. Place ldapdispatch into an accessible directory (eg, /usr/local/sbin). Reference the syslog-ng.conf below:

source s_local {
        internal();
        unix-dgram('/var/run/log');
};

destination d_ldapdispatch {
        program('exec /usr/local/sbin/ldapdispatch >/dev/null 2>&1');
};

filter f_ldapdispatch {
        program('slapd') and (
                match('ADD')
        ) or (
                match('DEL')
        ) or (
                match('MOD')
        );
};

log {
        source(s_udp);
        source(s_local);
        destination(d_ldapdispatch);
};

Now configure /etc/ldapdispatch.conf, and add all the actions you want. Reference the example below:

zoneName=firstnet.example.com,ou=dnsdata,dc=example,dc=com|/root/bin/update_dns first_server
zoneName=secondnet.example.com,ou=dnsdata,dc=example,dc=com|/root/bin/update_dns second_server

/root/bin/update_dns is a script which ssh’s into a box, and runs ldap2zone to retrieve the zone information from LDAP and parse it into a zonefile. The first line will run /root/bin/update_dns first_server whenever there’s a modification on the specified DN or one of it’s children. The second line will do the same thing, except it’s triggered on a different DN and it will update second_server.

Finally, start up syslog-ng. You should notice that there’s an extra python process running, namely ldapdispatch. Now have a look at /var/log/ldapdispatch.log and try to update your LDAP database. You should see that the dispatcher picks up the changes and starts running scripts withing a second or so after you’ve modified something in your LDAP tree. Have fun

This script is just written today, and since I’m so happy it works, I’m publishing it as-is for the moment (eg, you cannot find it on my software yet). If this script is useful to you and would like to be notified of updates, send me a mail.

This morning I’ve enabled mod_security on my http frontends. All denied request will be taken to denied.ix.nl.eu.org, which just has one page telling you that your request has been denied. If you actually get to see this page while doing valid browsing on these machines, let me know. In all else cases, FU and get the hell of my servers.