LDAP

LDAP (Lightweight Directory Access Protocol) service

LDAP SSL/TLS changes

February 19, 2019 | Rob McNicholas

At this time, the department LDAP server ldap.eecs.berkeley.edu (aka ldap.cs.berkeley.edu) accepts implicit SSLv3 and TLS 1.0, 1.1 and 1.2 connections on port 636, and allow STARTTLS negotiation for the same protocols on port 389.

Beginning Tuesday, February 19th 2019 at 8am, our LDAP servers will no longer accept SSLv3 or TLSv1.0 connections. All clients must use TLS v1.1 or v1.2.

Please send any questions or problem reports to help@eecs.berkeley.edu.
[Read more…] about LDAP SSL/TLS changes

Power Failure in Soda Machine room 11:40am Dec 20

December 20, 2017 | Rob McNicholas

Contractors attempting to repair the UPS in our primary machine room tripped a breaker which disabled most IRIS services. Service has been mostly restored as of around 2:05pm.

The lists.eecs.berkeley.edu mailing list server is still being rebooted but should be back shortly.

Resolved as of 2017-12-20 14:07:00

LDAP upgrade tonight, 6pm

August 15, 2017 | Rob McNicholas

The LDAP servers behind the load balancer for ldap.eecs.berkeley.edu will be upgraded tonight between 6pm and 8pm. Beginning at 6pm a final backup will be made of the data on the old servers, loaded into the new servers, and then the old servers will be retired. No service interruption is expected as the load balancer will be used to route requests to the right machines during the transition.

This is a change in both operating system and OpenLDAP software version. We have been testing the new servers for several months and do not expect any problems, but please inform help@eecs if you have any issues after the upgrade.

One enhancement is the addition of the memberOf overlay. This puts a new attribute (memberOf) in each person’s record to reflect LDAP groups they are members of, and is needed for some authorization situations.

Unix groups and automount maps are now also published in LDAP. Documentation is being prepared which will describe how to configure sssd on Unix/Linux machines to use these new OUs in LDAP instead of NIS.
[Read more…] about LDAP upgrade tonight, 6pm

Campus losing power, IRIS services shutting down

August 2, 2017 | Rob McNicholas

Due to a fire threatening our transformers, PG&E has advised campus we will be losing power.

IRIS is taking proactive steps to shut down as much equipment safely before we totally lose power.

See https://www.nixle.us/9HHZX for the warning from UCPD.
[Read more…] about Campus losing power, IRIS services shutting down

LDAP issue affected IRIS website and other services

January 20, 2017 | Rob McNicholas

A network problem with one of our LDAP load balancers caused some intermittent problems with some Departmental services. This probably started overnight when a server was patched and restarted. This morning we had reports of intermittent problems with Repo, and the IRIS roster and network applications on iris.eecs. The problem has been identified and resolved for now. Around 12:10pm we had to restart the server that hosts the iris.eecs website and the Department jabber server, but all services are operational again at this time.

Resolved as of 2017-01-20 12:10:00

LDAP High-Availability Testing Wednesday 10pm

June 17, 2015 | Rob McNicholas

We are upgrading our [LDAP infrastructure](https://iris.eecs.berkeley.edu/news/10933-department-ldap-upgrade-thu-jan) to replace an old server with a new machine. This server is a backup node which should take over the role of the LDAP server if the primary server fails. In order to ensure the new server is performing as expected, we will be simulating a failure of the primary node at 10pm on Wednesday, June 17th. The backup node should take over within 5 seconds. If all goes as planned, we will then bring the primary back up and call it a successful test.

During this testing, there will be brief (~5 second) interruptions in LDAP service. This will occur at least twice but possibly more if the first test is unsuccessful. During those brief intervals, anyone whose timing is especially good might notice trouble logging into any application that uses LDAP.

All testing will be over by 10:30pm at the latest, but probably much sooner.
[Read more…] about LDAP High-Availability Testing Wednesday 10pm

Slowness for services that use LDAP authentication

July 11, 2014 | Lars Rohrbach

We are currently seeing slowness in services that use LDAP authentication. This affects any services that prompt for LDAP login, such as our network registration forms, our Jabber server, and any EECS LDAP-authenticated websites.
[Read more…] about Slowness for services that use LDAP authentication

Authentication Trouble

April 21, 2014 | Lars Rohrbach

We’re getting reports of trouble authenticating to various EECS resources (EECS-Secure, LDAP). Staff are investigating.
[Read more…] about Authentication Trouble

Changes to EECS LDAP Access from off-campus

April 1, 2014 | Rob McNicholas

On Tuesday, April 1, 2014 IRIS will begin restricting access to the EECS LDAP directory server (`ldap.eecs.berkeley.edu`) from off-campus IP addresses. This will primarily affect people who use email programs such as Thunderbird, Outlook or Apple Mail that are configured to auto-complete email addresses from our directory. This will not affect people using the bMail web interface.

At this time, anonymous queries are allowed against the EECS LDAP directory, but searches are restricted to no more than 100 results. Unfortunately this configuration still allows an anonymous query to retrieve some details about a specific person, such as their email address, phone number or advisor. To mitigate this, after April 1 only authenticated queries will be allowed when coming from an off-campus IP address. For the purposes of this change, “off-campus” means an IP not in the any of the following ranges:

128.32.0.0/16
169.229.0.0/16
136.152.0.0/16
172.16.0.0/16
10.16.0.0/16

Those who need continued anonymous access to the directory from off-campus can use the [campus VPN](http://ist.berkeley.edu/node/591), which will give their off-campus machine a campus IP address. Those who need to run queries that return unlimited results can bind to the directory using their EECS credentials, or an “application” account can be created if needed.

We expect this change will affect a small number of people, but if you have any concerns or questions please contact the IRIS helpdesk at help@eecs.berkeley.edu.
[Read more…] about Changes to EECS LDAP Access from off-campus

filesystem problem in LDAP server may have caused temporary authentication failures

September 7, 2013 | IRIS Staff

One of the LDAP servers in our pair became unresponsive due to a filesystem problem. Some services (such as Jabber) had authentication problems during this time. The system is back online now after running fsck.

The current LDAP servers are old legacy systems slated to be replaced in the very near future. The configuration of these servers and the services that rely on it is non-optimal which results in problems with authentication to some (but not all) services that rely on LDAP.

The new LDAP system is in its final testing phases now and will completely replace the aging infrastructure we have now.

The problem with the system was detected by IT staff with one of our monitoring systems which alerted us. We are not aware of any impact to the community and have received no reports from anyone. If you experienced any authentication problems between 1-2am then please let us know by writing to help@eecs.berkeley.edu

Resolved as of 2013-09-07 01:57:00