Difference between revisions of "Adding local users"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 22: Line 22:
  
 
In subversion:
 
In subversion:
   https://ndpfsvn.nikhef.nl/repos/ndpf/trunk/nl.nikhef.ndpf.tools/ndpfuseradd/
+
   https://ndpfsvn.nikhef.nl/repos/ndpf/nl.nikhef.ndpf.tools/ndpfuseradd/
 
and the RPMs are at
 
and the RPMs are at
 
   http://www.nikhef.nl/grid/ndpf/files/local/packages/
 
   http://www.nikhef.nl/grid/ndpf/files/local/packages/

Revision as of 11:45, 13 August 2017

Select your DN in the first screen, and give your LDAP management password
Select the Unix group for the new user
Provide the new user's personal information, unix group (override) and initial quota
Select the services (pam) the user is allowed to use. If you select sshd, you can also provide one ssh public key for the user that will be added to LDAP and the authorized_keys file
Final review screen. Press CTRL-C here if you see mistakes at this stage

An interactive 'ndpfuseradd' script is now available from SVN and is installed (via RPMs) in /usr/local/sbin/ on selected machines (hooimijt, vlaai, stal), but can be installed anywhere if you like.

Prerequisites for using this tool:

  • you must have your ssh key in an agent, and you must be able to login as root via ssh on the file server hosting the end-user home directories
  • you must be in the list of LDAP managers hard-coded in the tool
  • the tool (and the RPM dependencies) require perl-LDAP, perl-IO-Socket-SSL, perl-Net-SSLeay, and the 'dialog' command


Then start the tool - it's fully interactive. Login first, then select the (unix) group you want to add the new user to, and then complete his personal details. Have the new user's SSH key handy and it will be automatically inserted as well. It's simple now:

/usr/local/sbin/ndpfuseradd

Just before committing the new entries to LDAP and the NFS server, you'll get to review the new entries. If you don't like them, press CTRL-C (pressing ESC twice to exit will exit at any dialog box, but is not enough here), and you're in the clear. Also, some basic sanity checks are built in, but you can likely break the tool if you want to.

Sources

In subversion:

 https://ndpfsvn.nikhef.nl/repos/ndpf/nl.nikhef.ndpf.tools/ndpfuseradd/

and the RPMs are at

 http://www.nikhef.nl/grid/ndpf/files/local/packages/
 (and for the NDPF Quattor-managed systems on stal at http://stal.nikhef.nl/mirror/nikhef/ndpfuseradd-VER-REL.noarch.rpm)



I tried extracting the list of managers automatically, but after having secured the LDAP server so that anonymous users can no longer glance such information with a single ldapsearch, I found myself in a catch22 situation (you need to bind to directory in order to see who you can bind as ...). Too bad, but I agree it still needs a configuration file instead of a hard coded list in the script. Will work on this.