|
|
| (3 intermediate revisions by one other user not shown) |
| Line 1: |
Line 1: |
| − | | + | This page has moved to [https://wiki.nikhef.nl/nikhef/ctb/NDPF:Creating_Pool_Accounts_With_LDAP the internal CTB Wiki]. |
| − | | |
| − | == The LDAP directory structure ==
| |
| − | The list of valid users of the NDPF is kept in a central LDAP directory, currently hosted on <tt>teugel.nikhef.nl</tt>. This directory contains both the "local" users as well as all poolaccounts and all automount map entries. The structure of the directory is:
| |
| − | | |
| − | + dc=farmnet,dc=nikhef,dc=nl
| |
| − | |
| |
| − | + ou=Managers
| |
| − | + ou=LocalGroups (<i>contains all groups!</i>)
| |
| − | + ou=LocalUsers
| |
| − | + ou=Poolaccounts
| |
| − | |
| |
| − | + ou=dteam
| |
| − | + ou=ops
| |
| − | ...
| |
| − | + ou=automount
| |
| − | |
| |
| − | + ou=auto.home
| |
| − | + ou=lcgprod
| |
| − | |
| |
| − | + ou=auto.sedata
| |
| − | + ou=auto.share
| |
| − | + ou=auto.stage
| |
| − | + ou=auto.sedata2
| |
| − | | |
| − | The <tt>ou=Poolaccounts</tt> entry contains the hierarchy of pool account groups. Per pool account group, there is a separate <tt>ou</tt>, which contains the actual list of pool accounts. Each account is named by its <tt>uid</tt>, and is of objectClass "posixAccount". For each account named here, there should be a corresponding entry in the <tt>ou=pool,ou=auto.home,ou=automount</tt> branch of the tree as well (of objectClass "automount").
| |
| − | | |
| − | == Creating accounts for a new VO ==
| |
| − | | |
| − | The <tt>ndpfpooladd</tt> script is part of the ndpfuseradd package from version 1.1 and higher.
| |
| − | You can run it from any host where this package is installed, provided that
| |
| − | | |
| − | * you can connect securely to the ldap server (currently teugel.nikhef.nl port 636)
| |
| − | * you have root access on the NFS server and gridmapdir server via ssk keys, and you access these through an ssh agent
| |
| − | | |
| − | The documentation is not complete but the help is usable. Anyway, it's virtually all
| |
| − | automatic now :-)
| |
| − | The pool accounts created have an immutable .ssh directory, so that pool users cannot
| |
| − | add their own ssh keys and come back later!
| |
| − | | |
| − | The ndpfpooladd utility creates new pools of accounts for VOs in the NDPF. It
| |
| − | handles all of the LDAP, NFS and gridmapdir interactions from a single host,
| |
| − | provided you have your SSH public keys loaded in an agent (using passwords
| |
| − | is too error-prone and enticing).
| |
| − |
| |
| − | Usage: ndpfpooladd [--help] [-c|--config configfile] [-v[v[v]]] [-H ldapuri]
| |
| − | [--base ldapbaseDIT] [--automountbase DIT] [--ldapuidbase DIT]
| |
| − | [--homedirhost FQDN] [--homedirdirname dir]
| |
| − | [--gridmapdirhost FQDN] [--gridmapdirdirname dir]
| |
| − | [--(no-)updateldap] [--(no-)updateNFS] [--(no-)updateGMD]
| |
| − | [-u|--updatecn RDN]
| |
| − |
| |
| − | [-g unixgid] [--vo|--poolname poolname] [-b|--baseuid uidNumber]
| |
| − | [-l|--length numerals] [-n|--naccounts n] [-s|--startserial serial]
| |
| − |
| |
| − | Examples:
| |
| − | Create 100 accounts for the new "atltst" VO, from uid 90100:
| |
| − | (first create a new Unix group, e.g. atlastst with gidNumber e.g. 2099)
| |
| − |
| |
| − | ndpfpooladd -u "David Groep" -g atlastst -b 90100 \
| |
| − | -l 2 --vo atltst -n 100
| |
| − |
| |
| − | To add 50 extra accounts to this pool, from a fresh uidNumber range:
| |
| − |
| |
| − | ndpfpooladd -u "David Groep" -g atlastst -b 91300 \
| |
| − | -l 2 --vo atltst -n 50 -s 100
| |
| − |
| |
| − | note that the uidNumber ranges need not be contiguous.
| |
| − |
| |
| − | The rest of the commandline options are set to reasonable defaults in
| |
| − | the source, but can be overridden in a configuration file specified
| |
| − | with the "-c" option, or in $HOME/.ndpfpooladdrc
| |
| − |
| |
| − | Notes:
| |
| − | - some basic checks on uidNumber availability are performed: the first
| |
| − | and last uid of a range must not be in use
| |
| − | - if one part fails (e.g. NFS), start by disabling the previous steps
| |
| − | with the --no-updateXXX options
| |
| − | So, if LDAP succeeded but creating the directories failed, retry with
| |
| − | "--no-updateldap"
| |
| − | - new Unix groups MUST be manually created in the LDAP directory
| |
| − | - If you get bored with the "-u" option, add a .ndpfpooladdrc file in
| |
| − | your $HOME with the content:
| |
| − | $updatecn="David Groep"
| |
| − | | |
| − | == Repairing an empty gridmapdir ==
| |
| − | | |
| − | For this you need the backup file that's generated nightly by the <tt>poolmaplog</tt> script from cron. The file format is simple:
| |
| − | | |
| − | uid subjectDN_in_lowercase
| |
| − | ...
| |
| − | | |
| − | btu for use in the gridmapdir the special chars (so painstackingly converted to readable format by poolmaplog) must be concerted back. This is the task of the <tt>repair-pool</tt> script. As far as I know, these are the special characters:
| |
| − | | |
| − | % / <space> = ( ) - . @
| |
| − | | |
| − | the repair-pool script will translate these to URL-escaped characters (ie. "=" becomes "%3D" -- note that we must thus convert any %-signs first!)
| |
| − | | |
| − | The script will automatically relink the poolaccounts to the proper DN for those accounts that were in use (i.e. has a DN assigned to them). You should only attempt repair if the pooldir is empty!
| |
| − | | |
| − | ./repair-pool < /export/perm/share/gridmapdir/.poolmap.20050816
| |
| − | | |
| − | and watch the results.
| |
| − | | |
| − | This utility is part of the manage-gridmap package!
| |
| − | | |
| − | == Migrating the poolaccounts in the LDAP directory ==
| |
| − | | |
| − | When the poolaccounts are migrated to a new system (schuur.nikhef.nl), the
| |
| − | LDAP directory needs to be updated to reflect the new location. To this end,
| |
| − | a new script is now available on <tt>hooimijt:/export/perm/adm/bin</tt>:
| |
| − | | |
| − | ./migrate_poolacc_dir_ldap [--uid=''uidpattern'']
| |
| − | | |
| − | which generates LDIF output with the directory updates. You can apply the LDIF
| |
| − | modification with the command
| |
| − | | |
| − | ldapmodify -x -W -D "cn=''Your Name'',ou=Managers,dc=farmnet,dc=nikhef,dc=nl" -H ldap://trog.nikhef.nl/ -f ''ldif_file''
| |
| − | | |
| − | The default is to expect the poolaccount home to be on
| |
| − | | |
| − | schuur.nikhef.nl:/project/share/pool/''prefix''/''loginname''
| |
| − | | |
| − | It will look for appropriately named poolaccounts under <tt>ou=pool,ou=auto.home,ou=automount,dc=farmnet,dc=nikhef,dc=nl</tt>
| |
| − | | |
| − | ''PS: also the gen_poolacc_dir script has been changed to use the new poolaccount homedirectory format. The output of this gen_poolacc_dir scfipt is a shell script to be executed on the physical filesystem-hosting node.''
| |
