Creating Pool Accounts With LDAP
The LDAP directory structure
The list of valid users of the NDPF is kept in a central LDAP directory, currently hosted on trog.nikhef.nl. This directory contains both the "local" users as well as all poolaccounts and all automount map entries. The structure of the directory is:
+ dc=farmnet,dc=nikhef,dc=nl | + ou=Managers + ou=LocalGroups (contains all groups!) + ou=LocalUsers + ou=Poolaccounts + ou=automount | + ou=auto.home + ou=lcgprod | + ou=auto.sedata + ou=auto.share + ou=auto.stage + ou=auto.sedata2
The ou=Poolaccounts entry contains the list of all pool accounts, without any further hierarchy. Each account is named by its uid, and is of objectClass "posixAccount". For each account named here, there should be a corresponsing entry in the ou=pool,ou=auto.home,ou=automount branch of the tree as well (of objectClass "automount").
bondage gay wrestling bondage sex big and rich domination domination otk spanking massive cocks bizarre sex spanking spanking stories bondage stories gay bondage breast bondage bondage huge gag notorious big sex slave big and natural bound bondage sex slave her first big cock male bondage gay fucking breast torture spanking videos tit torture tit torture slave big breasts bdsm breast torture asian bondage gay anal sex pussy torture free gay movie clips slaves sex slaves lesbian bondage free gay movie clips slaves free big tits bizarre slave asian bondage self bondage mistress spankings gay bondage big and rich spanking videos bondage stories spankings breast torture big naturals male bondage big butt gay men big black tits hentai bondage huge tits free bondage massive cocks gay cum huge gay guys big breast big penis big black tits gay blowjobs her first big cock big dick big booty big naturals big dicks bigtits big girls gay men big tits round asses big breast big butt asian bondage big otk spanking huge boobs gay cum big butts big naturals her first big cock i am only 12 but i have very large tits big clits gay chat huge cocks gay porn big dick gay incest big tits big pussy big pussy asain + gay + thumbs big tits round asses free gay porn big jugs bdsm stories big butt big butt big naturals male bondage big boobs big booty big clits gay bondage big dicks gay photography big breast spankings big penis spanking
trashy lingerie silk stockings lingere hot legs stocking mania six feet under nylon pissing girls lingerie models wet her pants hot lingerie foot sex lingerie toilets sexy lingerie celebrity feet bridal lingerie lingere hosiery six feet under black stockings little girls pee trashy lingerie models stockings pantyhose gallery tasty girls pee silk stockings womens lingerie girls in stockings piss plus size lingerie toilet cam lingerie models toilets erotic lingerie tasty girls pee nylons toilet cam pantyhose sex leg cramps pantyhose gallery pantyhose sex girl in transparent lingerie hot legs hot lingerie erotic lingerie girls pissing trashy lingerie models girls pee standing up bridal lingerie women peeing erotic lingerie bathroom sex toilet cam peeing hose peeing guys pissing wet thongs barefoot bathroom sex women peeing golden shower stockings piss foot sex bathroom sex leg hidden cameras girls bathroom pretty feet girls peeing girls pee golden shower footjob toilet foot fetish toilet cam foot fetish piss drinking lingerie models bathroom sex tights girls pee standing up tasty girls pee pee barefoot girls pee standing up leg cramps tasty girls pee girl legs spread women pee plus size lingerie women pee piss flaps pissing in public hose piss drinking sexy lingerie watersports pee pee tasty girls pee sexy lingerie girls peeing free pantyhose gallery peeing pee pee piss celebrity feet golden shower men pissing girls pissing leg cramps peeing desperate housewives golden shower piss flaps pissing pee pee piss men pissing
Creating accounts for a new VO
To use the scripts, login on the fileserver "hooimijt.nikhef.nl", and make sure that /export/perm/adm/bin is in your path (it contains all the relevant scripts), or go there. Also, make sure you know your LDAP manager password.
You need to:
- add the accounts to the LDAP directory
- create the homedirectories for these users on hooimijt
- add the inodes to the gridmapdir
(and of course add the VO itself to the proper Quattor profiles for the selected facilities, but this is outside the scope of this page).
Generating the LDIF
Adding users to the directory needs two commands (or one pipe). The gen_poolacc_ldif script generates ldif files, that need to be piped in to "ldapadd" to be inserted in the directory.
Its use is best explained by an example:
./gen_poolacc_ldif --vo atlas -g 2002 -b 43000 -n 200
will spit out lots of ldif, like
dn: uid=atlas000, ou=PoolAccounts, dc=farmnet,dc=nikhef,dc=nl objectclass: top objectclass: posixAccount cn: PoolAccount 0 of atlas uid: atlas000 uidNumber: 43000 gidNumber: 2002 homeDirectory: /home/atlas000 ...
this must be added to the directory with ldapadd:
ldapadd -H ldaps://trog.nikhef.nl/ -W -x -D "cn=My Name,ou=managers,dc=farmnet,dc=nikhef,dc=nl"
Valid managers are "David Groep", "Jeff Templon@nikhef.nl", "Davide Salomoni", "Ronald Starink" and "backup" (the last one can only read, though). The two commands can be combined in a single pipe.
In due course, the new accounts will appear on the farm, and you can check their presence with the "id" and "ls" commands:
id -a atlas000 ls -l /home/atlas000/
There may be a slight delay if the system you are trying this on is running nscd, or is looking at a slave LDAP server (hooimijt or tbn06 instead of trog).
The number of digits appended to the vo name is three (3) by default, but can be changed with the -l option. And, of course, the "voname" specified here is completely unrelated to the VO name in the information system or used in the GlueAccessControlBaseRules.
Extending an existing poolaccount range
You can also extend an existing range, by specifying a "start" value to gen_poolacc_ldif, but remember: the "base" value must remain the same. So, to generate an additional 100 atlas accounts, the command would be
./gen_poolacc_ldif --vo atlas -g 2002 -b 43000 -n 300 -s 200
to start at 200 and ensure that there are 300 accounts in total.
Generating the home directories
Once the accounts have been added to the directory, you can create the home directories on hooimijt. This must be done as root, and on hooimijt itself. The command to use is make_poolacc_dir, which takes one argument: the uid prefix to select on. By default, it will generate a shell script that tries to (re)create the homedirectories for all poolaccounts, so beware.
To generate the home directories for the "phicos" VO, use:
./make_poolacc_dir --uid=phicos > /tmp/schapen sh /tmp/schapen
To so the same for the additional 100 atlas accounts created from "atlas200" to "atlas299", use:
./make_poolacc_dir --uid=atlas2 > /tmp/lam sh /tmp/lam
The current version of make_poolacc_dir ensures that the .ssh directory contains an empty "authorized_keys" file and is immutable ("chattr =i .ssh").
Creating the inodes
Creating the inodes is done with populate_gridmapdir. This script is even more trivial than the other two: it extracts all uid's from the ou=Poolaccounts,dc=farmnet,dc=nikhef,dc=nl tree and prepends it with "/export/perm/share/gridmapdir":
./populate_gridmapdir
results in
/export/perm/share/gridmapdir/alice000 /export/perm/share/gridmapdir/alice001 /export/perm/share/gridmapdir/alice002 /export/perm/share/gridmapdir/alice003 /export/perm/share/gridmapdir/alice004 ...
To filter out the new ones, use grep, and pipe the results through xargs so as to touch the files:
./populate_gridmapdir | grep atlas2 | xargs touch
will do the job for the 100 additional atlas accounts, for instance.
Repairing an empty gridmapdir
For this you need the backup file that's generated nightly by the poolmaplog script from cron. The file format is simple:
uid subjectDN_in_lowercase ...
btu for use in the gridmapdir the special chars (so painstackingly converted to readable format by poolmaplog) must be concerted back. This is the task of the repair-pool script. As far as I know, these are the special characters:
% / <space> = ( ) - . @
the repair-pool script will translate these to URL-escaped characters (ie. "=" becomes "%3D" -- note that we must thus convert any %-signs first!)
The script will automatically relink the poolaccounts to the proper DN for those accounts that were in use (i.e. has a DN assigned to them). You should only attempt repair if the pooldir is empty!
./repair-pool < /export/perm/share/gridmapdir/.poolmap.20050816
and watch the results.