Header Search Widget
IRIS

Instructional & Research Information Systems

LDAP

LDAP (Lightweight Directory Access Protocol) service

LDAP server upgrade, Monday Apr 29, 6pm

by

The IRIS LDAP servers (ldap.eecs.berkeley.edu) provide usernames and passwords for many EECS applications and servers. On Monday, April 29th at 6pm, we will be upgrading these servers and their related load balancers to Red Hat 8. We plan to gracefully fail the old servers over to the new with no loss of service. As part of this upgrade, new SSL certificates have also been installed. Those accessing our servers programmatically might notice the certificate upgrade, but most users should not see any changes.

Update April 29 6:20pm: The server switchover has been completed. The only issue so far was with a server that was trying to use an older security protocol, TLS 1.1. The new servers require a minimum of TLS 1.2. Please check this setting if you are having problems.

Temporary LDAP authentication failure

by

We experienced a failure of EECS LDAP authentication, from about 5:50pm to 10:30pm, due to routine patches changing some file permissions for saslauthd. The issue has been corrected, and LDAP authentication is working again.

The problem may have been most noticeable when attempting to login to various EECS web forms (e.g. system registration or user account request forms).

LDAP SSL/TLS changes

by

At this time, the department LDAP server ldap.eecs.berkeley.edu (aka ldap.cs.berkeley.edu) accepts implicit SSLv3 and TLS 1.0, 1.1 and 1.2 connections on port 636, and allow STARTTLS negotiation for the same protocols on port 389.

Beginning Tuesday, February 19th 2019 at 8am, our LDAP servers will no longer accept SSLv3 or TLSv1.0 connections. All clients must use TLS v1.1 or v1.2.

Please send any questions or problem reports to help@eecs.berkeley.edu.
[Read more…] about LDAP SSL/TLS changes

Power Failure in Soda Machine room 11:40am Dec 20

by

Contractors attempting to repair the UPS in our primary machine room tripped a breaker which disabled most IRIS services. Service has been mostly restored as of around 2:05pm.

The lists.eecs.berkeley.edu mailing list server is still being rebooted but should be back shortly.

Resolved as of 2017-12-20 14:07:00

LDAP upgrade tonight, 6pm

by

The LDAP servers behind the load balancer for ldap.eecs.berkeley.edu will be upgraded tonight between 6pm and 8pm. Beginning at 6pm a final backup will be made of the data on the old servers, loaded into the new servers, and then the old servers will be retired. No service interruption is expected as the load balancer will be used to route requests to the right machines during the transition.

This is a change in both operating system and OpenLDAP software version. We have been testing the new servers for several months and do not expect any problems, but please inform help@eecs if you have any issues after the upgrade.

One enhancement is the addition of the memberOf overlay. This puts a new attribute (memberOf) in each person’s record to reflect LDAP groups they are members of, and is needed for some authorization situations.

Unix groups and automount maps are now also published in LDAP. Documentation is being prepared which will describe how to configure sssd on Unix/Linux machines to use these new OUs in LDAP instead of NIS.
[Read more…] about LDAP upgrade tonight, 6pm

Campus losing power, IRIS services shutting down

by

Due to a fire threatening our transformers, PG&E has advised campus we will be losing power.

IRIS is taking proactive steps to shut down as much equipment safely before we totally lose power.

See https://www.nixle.us/9HHZX for the warning from UCPD.
[Read more…] about Campus losing power, IRIS services shutting down

LDAP issue affected IRIS website and other services

by

A network problem with one of our LDAP load balancers caused some intermittent problems with some Departmental services. This probably started overnight when a server was patched and restarted. This morning we had reports of intermittent problems with Repo, and the IRIS roster and network applications on iris.eecs. The problem has been identified and resolved for now. Around 12:10pm we had to restart the server that hosts the iris.eecs website and the Department jabber server, but all services are operational again at this time.

Resolved as of 2017-01-20 12:10:00

LDAP High-Availability Testing Wednesday 10pm

by

We are upgrading our [LDAP infrastructure](https://iris.eecs.berkeley.edu/news/10933-department-ldap-upgrade-thu-jan) to replace an old server with a new machine. This server is a backup node which should take over the role of the LDAP server if the primary server fails. In order to ensure the new server is performing as expected, we will be simulating a failure of the primary node at 10pm on Wednesday, June 17th. The backup node should take over within 5 seconds. If all goes as planned, we will then bring the primary back up and call it a successful test.

During this testing, there will be brief (~5 second) interruptions in LDAP service. This will occur at least twice but possibly more if the first test is unsuccessful. During those brief intervals, anyone whose timing is especially good might notice trouble logging into any application that uses LDAP.

All testing will be over by 10:30pm at the latest, but probably much sooner.
[Read more…] about LDAP High-Availability Testing Wednesday 10pm