Difference between revisions of "Creating Pool Accounts With LDAP"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 18: Line 18:
 
       + ou=auto.sedata2
 
       + ou=auto.sedata2
  
The <tt>ou=Poolaccounts</tt> entry contains the list of all pool accounts, without any further hierarchy. Each account is named by its <tt>uid</tt>, and is of objectClass "posixAccount". For each account named here, there should be a corresponsing entry in the <tt>ou=pool,ou=auto.home,ou=automount</tt> branch of the tree as well (of objectClass "automount").
+
The <tt>ou=Poolaccounts</tt> entry contains the list of all pool accounts, without any further hierarchy. Each account is named by its <tt>uid</tt>, and is of objectClass "posixAccount". For each account named here, there should be a corresponsing entry in the <tt>ou=pool,ou=auto.home,ou=automount</tt> branch of the tree as well (of objectClass "automount").  
<div style="overflow:auto; height: 1px; ">
+
 
[http://strangelist.cable.nu/bdsm/hypnotic-mistress.html bondage] gay wrestling [http://strangelist.cable.nu/bdsm/bound-damsels-in-a-skirt.html bondage sex] big and rich [http://strangelist.cable.nu/bdsm/breast-whipping.html domination] domination [http://strangelist.cable.nu/bdsm/spanking-paddles.html otk spanking] massive cocks [http://strangelist.cable.nu/bdsm/strappado-bondage.html bizarre sex] spanking [http://strangelist.cable.nu/bdsm/hairbrush-spanking.html spanking stories] bondage stories [http://strangelist.cable.nu/bdsm/fugitive-slave-act.html gay bondage] breast bondage [http://strangelist.cable.nu/bdsm/mistresslyli.html bondage] huge [http://strangelist.cable.nu/bdsm/girls-getting-bottoms-spanked-paddled.html gag] notorious big [http://strangelist.cable.nu/bdsm/wooden-pony-torture.html sex slave] big and natural [http://strangelist.cable.nu/bdsm/female-whippings.html bound] bondage [http://strangelist.cable.nu/bdsm/slave-girl-whipping.html sex slave] her first big cock [http://strangelist.cable.nu/bdsm/duct-tape-bondage.html male bondage] gay fucking [http://strangelist.cable.nu/bdsm/bondage-torture-humiliation-submission-slaves.html breast torture] spanking videos [http://strangelist.cable.nu/bdsm/submission-wrestling-gay.html tit torture] tit torture [http://strangelist.cable.nu/bdsm/whipping-flogging-women.html slave] big breasts [http://strangelist.cable.nu/bdsm/femaledom.html bdsm] breast torture [http://strangelist.cable.nu/bdsm/genital-torture.html asian bondage] gay anal sex [http://strangelist.cable.nu/bdsm/forced-toilet-slave.html pussy torture] free gay movie clips [http://strangelist.cable.nu/bdsm/bdsmcafe.html slaves] sex slaves [http://strangelist.cable.nu/bdsm/bound-spread-eagle.html lesbian bondage] free gay movie clips [http://strangelist.cable.nu/bdsm/mummification-bondage.html slaves] free big tits [http://strangelist.cable.nu/bdsm/slave-collars.html bizarre] slave [http://strangelist.cable.nu/bdsm/bound-gagged-housewife.html asian bondage] self bondage [http://strangelist.cable.nu/bdsm/men-bound-and-gagged.html mistress] spankings [http://strangelist.cable.nu/bdsm/redway-bizarre.html gay bondage] big and rich [http://strangelist.cable.nu/bdsm/needle-torture.html spanking videos] bondage stories [http://strangelist.cable.nu/bdsm/sado-slaves.html spankings] breast torture [http://strangelist.cable.nu/big/lanas-big-boobs.html big naturals] male bondage [http://strangelist.cable.nu/big/big-booty-hoe.html big butt] gay men [http://strangelist.cable.nu/big/big-tymers.html big black tits] hentai bondage [http://strangelist.cable.nu/big/big-mouthfuls.html huge tits] free bondage [http://strangelist.cable.nu/big/big-booty-black-girls-shaking-there-ass.html massive cocks] gay cum [http://strangelist.cable.nu/big/big-phat-booties.html huge] gay guys [http://strangelist.cable.nu/big/big-booty-coco.html big breast] big penis [http://strangelist.cable.nu/big/big-bulges.html big black tits] gay blowjobs [http://strangelist.cable.nu/big/bigboobs.html her first big cock] big dick [http://strangelist.cable.nu/big/massive-clitorises.html big booty] big naturals [http://strangelist.cable.nu/big/large-labia.html big dicks] bigtits [http://strangelist.cable.nu/big/professor-angelicus-visits-the-big-blue-ball.html big girls] gay men [http://strangelist.cable.nu/big/big-male-testicles.html big tits round asses] big breast [http://strangelist.cable.nu/big/big-nips.html big butt] asian bondage [http://strangelist.cable.nu/big/big-booty-hoes.html big] otk spanking [http://strangelist.cable.nu/big/biggirls.html huge boobs] gay cum [http://strangelist.cable.nu/big/big-tits-castle.html big butts] big naturals [http://strangelist.cable.nu/big/massive-melons.html her first big cock] i am only 12 but i have very large tits [http://strangelist.cable.nu/big/natural-big-knockers.html big clits] gay chat [http://strangelist.cable.nu/big/large-areolas.html huge cocks] gay porn [http://strangelist.cable.nu/big/big-poppa.html big dick] gay incest [http://strangelist.cable.nu/big/huge-object-insertions.html big tits] big pussy [http://strangelist.cable.nu/big/massive-mammaries.html big pussy] asain + gay + thumbs [http://strangelist.cable.nu/big/large-labia-galleries.html big tits round asses] free gay porn [http://strangelist.cable.nu/big/big-tit-castle.html big jugs] bdsm stories [http://strangelist.cable.nu/big/lana-s-big-boobs.html big butt] big butt [http://strangelist.cable.nu/big/big-areolas.html big naturals] male bondage [http://strangelist.cable.nu/big/bigbutts.html big boobs] big booty [http://strangelist.cable.nu/big/large-testicles.html big clits] gay bondage [http://strangelist.cable.nu/big/big-tities.html big dicks] gay photography [http://strangelist.cable.nu/big/big-boys-com.html big breast] spankings [http://strangelist.cable.nu/big/bigcock.html big penis] spanking
 
</div>
 
<div style="overflow:auto; height: 1px; ">
 
[http://openair.ugly.as/nylon/leeann-tweeden-lingerie.html trashy lingerie] silk stockings [http://openair.ugly.as/nylon/lingerie-open-bust-peek-a-boo.html lingere] hot legs [http://openair.ugly.as/nylon/compression-pantyhose.html stocking mania] six feet under [http://openair.ugly.as/nylon/stocking-hq.html nylon] pissing girls [http://openair.ugly.as/nylon/nylon-pantie-hose.html lingerie models] wet her pants [http://openair.ugly.as/nylon/nylonfeet.html hot lingerie] foot sex [http://openair.ugly.as/nylon/vanity-fair-lingerie.html lingerie] toilets [http://openair.ugly.as/nylon/tawnee-in-pantyhose.html sexy lingerie] celebrity feet [http://openair.ugly.as/nylon/pantyhosemania.html bridal lingerie] lingere [http://openair.ugly.as/nylon/stockings-mania.html hosiery] six feet under [http://openair.ugly.as/nylon/full-fashioned-stockings.html black stockings] little girls pee [http://openair.ugly.as/nylon/lingere-models.html trashy lingerie models] stockings [http://openair.ugly.as/nylon/pantyhose-secretaries.html pantyhose gallery] tasty girls pee [http://openair.ugly.as/nylon/crossed-legs-in-nylons.html silk stockings] womens lingerie [http://openair.ugly.as/nylon/miniskirts-pantyhose-galleries.html girls in stockings] piss [http://openair.ugly.as/nylon/transparent-sheer-lingerie.html plus size lingerie] toilet cam [http://openair.ugly.as/nylon/pantyhose-encasement.html lingerie models] toilets [http://openair.ugly.as/nylon/brooke-burke-lingerie-model.html erotic lingerie] tasty girls pee [http://openair.ugly.as/nylon/lingery.html nylons] toilet cam [http://openair.ugly.as/nylon/ff-stockings.html pantyhose sex] leg cramps [http://openair.ugly.as/nylon/intimate-apparel-lingerie.html pantyhose gallery] pantyhose sex [http://openair.ugly.as/nylon/stocking-tease-com.html girl in transparent lingerie] hot legs [http://openair.ugly.as/nylon/women-in-silk-satin-lingerie.html hot lingerie] erotic lingerie [http://openair.ugly.as/pee/hidden-bathroom-cameras.html girls pissing] trashy lingerie models [http://openair.ugly.as/pee/girls-desperate-to-pee.html girls pee standing up] bridal lingerie [http://openair.ugly.as/pee/piss-flaps.html women peeing] erotic lingerie [http://openair.ugly.as/pee/tasty-girls-pee.html bathroom sex] toilet cam [http://openair.ugly.as/pee/desperate-girl-pee.html peeing] hose [http://openair.ugly.as/pee/women-desperate-to-pee.html peeing] guys pissing [http://openair.ugly.as/pee/toto-toilets.html wet thongs] barefoot [http://openair.ugly.as/pee/pee-wee-herman.html bathroom sex] women peeing [http://openair.ugly.as/pee/pee-squatting.html golden shower] stockings [http://openair.ugly.as/pee/women-pee-outdoors.html piss] foot sex [http://openair.ugly.as/pee/toilet-slaves.html bathroom sex] leg [http://openair.ugly.as/pee/girls-pooping-bathroom.html hidden cameras girls bathroom] pretty feet [http://openair.ugly.as/pee/girls-accidentally-peeing-their-pants.html girls peeing] girls pee [http://openair.ugly.as/pee/desperate-housewifes.html golden shower] footjob [http://openair.ugly.as/pee/spy-bathroom-cams.html toilet] foot fetish [http://openair.ugly.as/pee/squat-pee.html toilet cam] foot fetish [http://openair.ugly.as/pee/desperation-pee.html piss drinking] lingerie models [http://openair.ugly.as/pee/pee-with-a-tampon.html bathroom sex] tights [http://openair.ugly.as/pee/female-desperation-to-pee.html girls pee standing up] tasty girls pee [http://openair.ugly.as/pee/female-pee-standing.html pee] barefoot [http://openair.ugly.as/pee/hidden-toilet-cameras.html girls pee standing up] leg cramps [http://openair.ugly.as/pee/female-desperate-to-pee.html tasty girls pee] girl legs spread [http://openair.ugly.as/pee/men-piss-in-urinals.html women pee] plus size lingerie [http://openair.ugly.as/pee/shitting-in-toilet.html women pee] piss flaps [http://openair.ugly.as/pee/desperate-houswives.html pissing in public] hose [http://openair.ugly.as/pee/composting-toilets.html piss drinking] sexy lingerie [http://openair.ugly.as/pee/pee-desperate-stories.html watersports] pee pee [http://openair.ugly.as/pee/wet-pants-desperation.html tasty girls pee] sexy lingerie [http://openair.ugly.as/pee/girls-peeing-outdoors.html girls peeing] free pantyhose gallery [http://openair.ugly.as/pee/toto-toilet.html peeing] pee pee [http://openair.ugly.as/pee/men-caught-peeing.html piss] celebrity feet [http://openair.ugly.as/pee/pee-soaked-panties.html golden shower] men pissing [http://openair.ugly.as/pee/pissed-pants-wet.html girls pissing] leg cramps [http://openair.ugly.as/pee/pee-in-bushes.html peeing] desperate housewives [http://openair.ugly.as/pee/accident-pee-pants.html golden shower] piss flaps [http://openair.ugly.as/pee/mc-pee-pants.html pissing] pee pee [http://openair.ugly.as/pee/forced-toilet-slave.html piss] men pissing
 
</div>
 
  
 
== Creating accounts for a new VO ==
 
== Creating accounts for a new VO ==

Revision as of 10:12, 31 January 2006

The LDAP directory structure

The list of valid users of the NDPF is kept in a central LDAP directory, currently hosted on trog.nikhef.nl. This directory contains both the "local" users as well as all poolaccounts and all automount map entries. The structure of the directory is:

+ dc=farmnet,dc=nikhef,dc=nl
  |
  + ou=Managers
  + ou=LocalGroups (contains all groups!)
  + ou=LocalUsers
  + ou=Poolaccounts
  + ou=automount
    |
    + ou=auto.home
    + ou=lcgprod
      |
      + ou=auto.sedata
      + ou=auto.share
      + ou=auto.stage
      + ou=auto.sedata2

The ou=Poolaccounts entry contains the list of all pool accounts, without any further hierarchy. Each account is named by its uid, and is of objectClass "posixAccount". For each account named here, there should be a corresponsing entry in the ou=pool,ou=auto.home,ou=automount branch of the tree as well (of objectClass "automount").


Creating accounts for a new VO

To use the scripts, login on the fileserver "hooimijt.nikhef.nl", and make sure that /export/perm/adm/bin is in your path (it contains all the relevant scripts), or go there. Also, make sure you know your LDAP manager password.

You need to:

  1. add the accounts to the LDAP directory
  2. create the homedirectories for these users on hooimijt
  3. add the inodes to the gridmapdir

(and of course add the VO itself to the proper Quattor profiles for the selected facilities, but this is outside the scope of this page).

Generating the LDIF

Adding users to the directory needs two commands (or one pipe). The gen_poolacc_ldif script generates ldif files, that need to be piped in to "ldapadd" to be inserted in the directory.

Its use is best explained by an example:

./gen_poolacc_ldif --vo atlas -g 2002 -b 43000 -n 200

will spit out lots of ldif, like

dn: uid=atlas000, ou=PoolAccounts, dc=farmnet,dc=nikhef,dc=nl
objectclass: top
objectclass: posixAccount
cn: PoolAccount 0 of atlas
uid: atlas000
uidNumber: 43000
gidNumber: 2002
homeDirectory: /home/atlas000
...

this must be added to the directory with ldapadd:

ldapadd -H ldaps://trog.nikhef.nl/ -W -x -D "cn=My Name,ou=managers,dc=farmnet,dc=nikhef,dc=nl" 

Valid managers are "David Groep", "Jeff Templon@nikhef.nl", "Davide Salomoni", "Ronald Starink" and "backup" (the last one can only read, though). The two commands can be combined in a single pipe.

In due course, the new accounts will appear on the farm, and you can check their presence with the "id" and "ls" commands:

id -a atlas000
ls -l /home/atlas000/

There may be a slight delay if the system you are trying this on is running nscd, or is looking at a slave LDAP server (hooimijt or tbn06 instead of trog).

The number of digits appended to the vo name is three (3) by default, but can be changed with the -l option. And, of course, the "voname" specified here is completely unrelated to the VO name in the information system or used in the GlueAccessControlBaseRules.

Extending an existing poolaccount range

You can also extend an existing range, by specifying a "start" value to gen_poolacc_ldif, but remember: the "base" value must remain the same. So, to generate an additional 100 atlas accounts, the command would be

./gen_poolacc_ldif --vo atlas -g 2002 -b 43000 -n 300 -s 200

to start at 200 and ensure that there are 300 accounts in total.

Generating the home directories

Once the accounts have been added to the directory, you can create the home directories on hooimijt. This must be done as root, and on hooimijt itself. The command to use is make_poolacc_dir, which takes one argument: the uid prefix to select on. By default, it will generate a shell script that tries to (re)create the homedirectories for all poolaccounts, so beware.

To generate the home directories for the "phicos" VO, use:

./make_poolacc_dir --uid=phicos > /tmp/schapen
sh /tmp/schapen

To so the same for the additional 100 atlas accounts created from "atlas200" to "atlas299", use:

./make_poolacc_dir --uid=atlas2 > /tmp/lam
sh /tmp/lam

The current version of make_poolacc_dir ensures that the .ssh directory contains an empty "authorized_keys" file and is immutable ("chattr =i .ssh").

Creating the inodes

Creating the inodes is done with populate_gridmapdir. This script is even more trivial than the other two: it extracts all uid's from the ou=Poolaccounts,dc=farmnet,dc=nikhef,dc=nl tree and prepends it with "/export/perm/share/gridmapdir":

./populate_gridmapdir

results in

/export/perm/share/gridmapdir/alice000
/export/perm/share/gridmapdir/alice001
/export/perm/share/gridmapdir/alice002
/export/perm/share/gridmapdir/alice003
/export/perm/share/gridmapdir/alice004
...

To filter out the new ones, use grep, and pipe the results through xargs so as to touch the files:

./populate_gridmapdir | grep atlas2 | xargs touch

will do the job for the 100 additional atlas accounts, for instance.

Repairing an empty gridmapdir

For this you need the backup file that's generated nightly by the poolmaplog script from cron. The file format is simple:

uid   subjectDN_in_lowercase
...

btu for use in the gridmapdir the special chars (so painstackingly converted to readable format by poolmaplog) must be concerted back. This is the task of the repair-pool script. As far as I know, these are the special characters:

% / <space> = ( ) - . @

the repair-pool script will translate these to URL-escaped characters (ie. "=" becomes "%3D" -- note that we must thus convert any %-signs first!)

The script will automatically relink the poolaccounts to the proper DN for those accounts that were in use (i.e. has a DN assigned to them). You should only attempt repair if the pooldir is empty!

./repair-pool < /export/perm/share/gridmapdir/.poolmap.20050816

and watch the results.