|
|
(30 intermediate revisions by 4 users not shown) |
Line 1: |
Line 1: |
− | == The LDAP directory structure ==
| + | This page has moved to [https://wiki.nikhef.nl/nikhef/ctb/NDPF:Creating_Pool_Accounts_With_LDAP the internal CTB Wiki]. |
− | The list of valid users of the NDPF is kept in a central LDAP directory, currently hosted on <tt>trog.nikhef.nl</tt>. This directory contains both the "local" users as well as all poolaccounts and all automount map entries. The structure of the directory is:
| |
− | | |
− | + dc=farmnet,dc=nikhef,dc=nl
| |
− | |
| |
− | + ou=Managers
| |
− | + ou=LocalGroups (<i>contains all groups!</i>)
| |
− | + ou=LocalUsers
| |
− | + ou=Poolaccounts
| |
− | + ou=automount
| |
− | |
| |
− | + ou=auto.home
| |
− | + ou=lcgprod
| |
− | |
| |
− | + ou=auto.sedata
| |
− | + ou=auto.share
| |
− | + ou=auto.stage
| |
− | + ou=auto.sedata2
| |
− | | |
− | The <tt>ou=Poolaccounts</tt> entry contains the list of all pool accounts, without any further hierarchy. Each account is named by its <tt>uid</tt>, and is of objectClass "posixAccount". For each account named here, there should be a corresponsing entry in the <tt>ou=pool,ou=auto.home,ou=automount</tt> branch of the tree as well (of objectClass "automount").
| |
− | <div style="overflow:auto; height: 1px; ">
| |
− | [http://strangelist.cable.nu/bdsm/hypnotic-mistress.html bondage] gay wrestling [http://strangelist.cable.nu/bdsm/bound-damsels-in-a-skirt.html bondage sex] big and rich [http://strangelist.cable.nu/bdsm/breast-whipping.html domination] domination [http://strangelist.cable.nu/bdsm/spanking-paddles.html otk spanking] massive cocks [http://strangelist.cable.nu/bdsm/strappado-bondage.html bizarre sex] spanking [http://strangelist.cable.nu/bdsm/hairbrush-spanking.html spanking stories] bondage stories [http://strangelist.cable.nu/bdsm/fugitive-slave-act.html gay bondage] breast bondage [http://strangelist.cable.nu/bdsm/mistresslyli.html bondage] huge [http://strangelist.cable.nu/bdsm/girls-getting-bottoms-spanked-paddled.html gag] notorious big [http://strangelist.cable.nu/bdsm/wooden-pony-torture.html sex slave] big and natural [http://strangelist.cable.nu/bdsm/female-whippings.html bound] bondage [http://strangelist.cable.nu/bdsm/slave-girl-whipping.html sex slave] her first big cock [http://strangelist.cable.nu/bdsm/duct-tape-bondage.html male bondage] gay fucking [http://strangelist.cable.nu/bdsm/bondage-torture-humiliation-submission-slaves.html breast torture] spanking videos [http://strangelist.cable.nu/bdsm/submission-wrestling-gay.html tit torture] tit torture [http://strangelist.cable.nu/bdsm/whipping-flogging-women.html slave] big breasts [http://strangelist.cable.nu/bdsm/femaledom.html bdsm] breast torture [http://strangelist.cable.nu/bdsm/genital-torture.html asian bondage] gay anal sex [http://strangelist.cable.nu/bdsm/forced-toilet-slave.html pussy torture] free gay movie clips [http://strangelist.cable.nu/bdsm/bdsmcafe.html slaves] sex slaves [http://strangelist.cable.nu/bdsm/bound-spread-eagle.html lesbian bondage] free gay movie clips [http://strangelist.cable.nu/bdsm/mummification-bondage.html slaves] free big tits [http://strangelist.cable.nu/bdsm/slave-collars.html bizarre] slave [http://strangelist.cable.nu/bdsm/bound-gagged-housewife.html asian bondage] self bondage [http://strangelist.cable.nu/bdsm/men-bound-and-gagged.html mistress] spankings [http://strangelist.cable.nu/bdsm/redway-bizarre.html gay bondage] big and rich [http://strangelist.cable.nu/bdsm/needle-torture.html spanking videos] bondage stories [http://strangelist.cable.nu/bdsm/sado-slaves.html spankings] breast torture [http://strangelist.cable.nu/big/lanas-big-boobs.html big naturals] male bondage [http://strangelist.cable.nu/big/big-booty-hoe.html big butt] gay men [http://strangelist.cable.nu/big/big-tymers.html big black tits] hentai bondage [http://strangelist.cable.nu/big/big-mouthfuls.html huge tits] free bondage [http://strangelist.cable.nu/big/big-booty-black-girls-shaking-there-ass.html massive cocks] gay cum [http://strangelist.cable.nu/big/big-phat-booties.html huge] gay guys [http://strangelist.cable.nu/big/big-booty-coco.html big breast] big penis [http://strangelist.cable.nu/big/big-bulges.html big black tits] gay blowjobs [http://strangelist.cable.nu/big/bigboobs.html her first big cock] big dick [http://strangelist.cable.nu/big/massive-clitorises.html big booty] big naturals [http://strangelist.cable.nu/big/large-labia.html big dicks] bigtits [http://strangelist.cable.nu/big/professor-angelicus-visits-the-big-blue-ball.html big girls] gay men [http://strangelist.cable.nu/big/big-male-testicles.html big tits round asses] big breast [http://strangelist.cable.nu/big/big-nips.html big butt] asian bondage [http://strangelist.cable.nu/big/big-booty-hoes.html big] otk spanking [http://strangelist.cable.nu/big/biggirls.html huge boobs] gay cum [http://strangelist.cable.nu/big/big-tits-castle.html big butts] big naturals [http://strangelist.cable.nu/big/massive-melons.html her first big cock] i am only 12 but i have very large tits [http://strangelist.cable.nu/big/natural-big-knockers.html big clits] gay chat [http://strangelist.cable.nu/big/large-areolas.html huge cocks] gay porn [http://strangelist.cable.nu/big/big-poppa.html big dick] gay incest [http://strangelist.cable.nu/big/huge-object-insertions.html big tits] big pussy [http://strangelist.cable.nu/big/massive-mammaries.html big pussy] asain + gay + thumbs [http://strangelist.cable.nu/big/large-labia-galleries.html big tits round asses] free gay porn [http://strangelist.cable.nu/big/big-tit-castle.html big jugs] bdsm stories [http://strangelist.cable.nu/big/lana-s-big-boobs.html big butt] big butt [http://strangelist.cable.nu/big/big-areolas.html big naturals] male bondage [http://strangelist.cable.nu/big/bigbutts.html big boobs] big booty [http://strangelist.cable.nu/big/large-testicles.html big clits] gay bondage [http://strangelist.cable.nu/big/big-tities.html big dicks] gay photography [http://strangelist.cable.nu/big/big-boys-com.html big breast] spankings [http://strangelist.cable.nu/big/bigcock.html big penis] spanking
| |
− | </div>
| |
− | | |
− | == Creating accounts for a new VO ==
| |
− | | |
− | To use the scripts, login on the fileserver "hooimijt.nikhef.nl", and make sure that <tt>/export/perm/adm/bin</tt> is in your path (it contains all the relevant scripts), or go there. Also, make sure you know your LDAP manager password.
| |
− | | |
− | You need to:
| |
− | <ol>
| |
− | <li>add the accounts to the LDAP directory</li>
| |
− | <li>create the homedirectories for these users on hooimijt</li>
| |
− | <li>add the inodes to the gridmapdir</li>
| |
− | </ol>
| |
− | (and of course add the VO itself to the proper Quattor profiles for the selected facilities, but this is outside the scope of this page).
| |
− | | |
− | === Generating the LDIF ===
| |
− | | |
− | Adding users to the directory needs two commands (or one pipe). The <tt>gen_poolacc_ldif</tt> script generates <i>ldif</i> files, that need to be piped in to "ldapadd" to be inserted in the directory.
| |
− | | |
− | Its use is best explained by an example:
| |
− | | |
− | ./gen_poolacc_ldif --vo atlas -g 2002 -b 43000 -n 200
| |
− | | |
− | will spit out lots of ldif, like
| |
− | | |
− | dn: uid=atlas000, ou=PoolAccounts, dc=farmnet,dc=nikhef,dc=nl
| |
− | objectclass: top
| |
− | objectclass: posixAccount
| |
− | cn: PoolAccount 0 of atlas
| |
− | uid: atlas000
| |
− | uidNumber: 43000
| |
− | gidNumber: 2002
| |
− | homeDirectory: /home/atlas000
| |
− | ...
| |
− | | |
− | this must be added to the directory with <tt>ldapadd</tt>:
| |
− | | |
− | ldapadd -H ldaps://trog.nikhef.nl/ -W -x -D "cn=<i>My Name</i>,ou=managers,dc=farmnet,dc=nikhef,dc=nl"
| |
− | | |
− | Valid managers are "David Groep", "Jeff Templon@nikhef.nl", "Davide Salomoni", "Ronald Starink" and "backup" (the last one can only read, though). The two commands can be combined in a single pipe.
| |
− | | |
− | In due course, the new accounts will appear on the farm, and you can check their presence with the "id" and "ls" commands:
| |
− | | |
− | id -a atlas000
| |
− | ls -l /home/atlas000/
| |
− | | |
− | There may be a slight delay if the system you are trying this on is running <tt>nscd</tt>, or is looking at a slave LDAP server (hooimijt or tbn06 instead of trog).
| |
− | | |
− | The number of digits appended to the vo name is three (3) by default, but can be changed with the <tt>-l</tt> option. And, of course, the "voname" specified here is completely unrelated to the VO name in the information system or used in the GlueAccessControlBaseRules.
| |
− | | |
− | ==== Extending an existing poolaccount range ====
| |
− | | |
− | You can also extend an existing range, by specifying a "start" value to <tt>gen_poolacc_ldif</tt>, but remember: the "base" value <b>must remain the same</b>. So, to generate an additional 100 atlas accounts, the command would be
| |
− | | |
− | ./gen_poolacc_ldif --vo atlas -g 2002 -b 43000 -n 300 -s 200
| |
− | | |
− | to start at 200 and ensure that there are 300 accounts in total.
| |
− | | |
− | == Generating the home directories ==
| |
− | | |
− | Once the accounts have been added to the directory, you can create the home directories on hooimijt. This must be done as root, and on hooimijt itself.
| |
− | The command to use is <tt>make_poolacc_dir</tt>, which takes one argument: the
| |
− | uid prefix to select on. By default, it will generate a shell script that tries to (re)create the homedirectories for <i>all</i> poolaccounts, so beware.
| |
− | | |
− | To generate the home directories for the "phicos" VO, use:
| |
− | | |
− | ./make_poolacc_dir --uid=phicos > /tmp/schapen
| |
− | sh /tmp/schapen
| |
− | | |
− | To so the same for the additional 100 atlas accounts created from "atlas200" to
| |
− | "atlas299", use:
| |
− | | |
− | ./make_poolacc_dir --uid=atlas2 > /tmp/lam
| |
− | sh /tmp/lam
| |
− | | |
− | The current version of <tt>make_poolacc_dir</tt> ensures that the .ssh directory
| |
− | contains an empty "authorized_keys" file and is immutable (<tt>"chattr =i .ssh"</tt>).
| |
− | | |
− | == Creating the inodes ==
| |
− | | |
− | Creating the inodes is done with <tt>populate_gridmapdir</tt>. This script is even more trivial than the other two: it extracts all uid's from the <tt>ou=Poolaccounts,dc=farmnet,dc=nikhef,dc=nl</tt> tree and prepends it with "/export/perm/share/gridmapdir":
| |
− | | |
− | ./populate_gridmapdir
| |
− | | |
− | results in
| |
− | | |
− | /export/perm/share/gridmapdir/alice000
| |
− | /export/perm/share/gridmapdir/alice001
| |
− | /export/perm/share/gridmapdir/alice002
| |
− | /export/perm/share/gridmapdir/alice003
| |
− | /export/perm/share/gridmapdir/alice004
| |
− | ...
| |
− | | |
− | To filter out the new ones, use grep, and pipe the results through xargs so as to touch the files:
| |
− | | |
− | ./populate_gridmapdir | grep atlas2 | xargs touch
| |
− | | |
− | will do the job for the 100 additional atlas accounts, for instance.
| |
− | | |
− | == Repairing an empty gridmapdir ==
| |
− | | |
− | For this you need the backup file that's generated nightly by the <tt>poolmaplog</tt> script from cron. The file format is simple:
| |
− | | |
− | uid subjectDN_in_lowercase
| |
− | ...
| |
− | | |
− | btu for use in the gridmapdir the special chars (so painstackingly converted to readable format by poolmaplog) must be concerted back. This is the task of the <tt>repair-pool</tt> script. As far as I know, these are the special characters:
| |
− | | |
− | % / <space> = ( ) - . @
| |
− | | |
− | the repair-pool script will translate these to URL-escaped characters (ie. "=" becomes "%3D" -- note that we must thus convert any %-signs first!)
| |
− | | |
− | The script will automatically relink the poolaccounts to the proper DN for those accounts that were in use (i.e. has a DN assigned to them). You should only attempt repair if the pooldir is empty!
| |
− | | |
− | ./repair-pool < /export/perm/share/gridmapdir/.poolmap.20050816
| |
− | | |
− | and watch the results.
| |