Difference between revisions of "Adding local users"
m |
m |
||
| Line 1: | Line 1: | ||
| + | An interactive 'ndpfuseradd' script is now available from SVN and is installed (via RPMs) in /usr/local/sbin/ on selected machines (hooimijt, vlaai, stal), but can be installed anywhere if you like. | ||
| + | |||
| + | Prerequisites for using this tool: | ||
| + | * you must have your ssh key in an agent, and you must be able to login as root via ssh on the file server hosting the end-user home directories | ||
| + | * you must be in the list of LDAP managers hard-coded in the tool | ||
| + | * the tool (and the RPM dependencies) require perl-LDAP, perl-IO-Socket-SSL, perl-Net-SSLeay, and the 'dialog' command | ||
| + | |||
| + | Then start the tool - it's fully interactive. First select the (unix) group you want to add the new user to, and then complete his personal details. Have the new user's SSH key handy and it will be automatically inserted as well. It's simple now: | ||
| + | |||
| + | /usr/local/sbin/ndpfuser | ||
| + | |||
| + | I tried extracting the list of managers automatically, but after having secured the LDAP server so that anonymous users can no longer glance such information with a single ldapsearch, I found myself in a catch22 situation (you need to bind to directory in order to see who you can bind as ...). Too bad, but I agree it still needs a configuration file instead of a hard coded list in the script. Will work on this. | ||
| + | |||
| + | |||
| + | <hr> | ||
| + | |||
| + | This is OLD documentation | ||
| + | |||
Login to hooimijt first, and then run the script | Login to hooimijt first, and then run the script | ||
Revision as of 18:41, 23 December 2008
An interactive 'ndpfuseradd' script is now available from SVN and is installed (via RPMs) in /usr/local/sbin/ on selected machines (hooimijt, vlaai, stal), but can be installed anywhere if you like.
Prerequisites for using this tool:
- you must have your ssh key in an agent, and you must be able to login as root via ssh on the file server hosting the end-user home directories
- you must be in the list of LDAP managers hard-coded in the tool
- the tool (and the RPM dependencies) require perl-LDAP, perl-IO-Socket-SSL, perl-Net-SSLeay, and the 'dialog' command
Then start the tool - it's fully interactive. First select the (unix) group you want to add the new user to, and then complete his personal details. Have the new user's SSH key handy and it will be automatically inserted as well. It's simple now:
/usr/local/sbin/ndpfuser
I tried extracting the list of managers automatically, but after having secured the LDAP server so that anonymous users can no longer glance such information with a single ldapsearch, I found myself in a catch22 situation (you need to bind to directory in order to see who you can bind as ...). Too bad, but I agree it still needs a configuration file instead of a hard coded list in the script. Will work on this.
This is OLD documentation
Login to hooimijt first, and then run the script
/export/perm/adm/bin/makeuser <username>
with either the arguments like:
-e test@example.com -n "Test User" -l "NIKHEF H1.56" -p "+31 20 592 2179" -g 100 testusr2
or answer all questions. You have to be one of the predefined administors in order to complete the procedure.
Finally, add the public ssh key of the user to
/home/<userid>/.ssh/authorized_keys2
and the new user should be able to login. The option to edit the authorized_keys file is also presented to you just before the makeuser script terminates.
Documentation
Usage: ./makeuser [-h] [-g gid] [-e email] [-n name] [-p number]
[-l loc] <username>
This script will create a new user in the NDPF, updating the LDAP directory and initializing the user's home directory. The opportunity to edit the ssh authorized_keys file is presented at the end.
The uidNumber is automatically obtained from the LDAP directory, if the appropriate description entry in ou=LocalUsers, stating the next available uidNumber, is present. It is incremented on user creation.
Containts:
- this script MUST be run on hooimijt.nikhef.nl
- the LDAP directory (master) is assumed to be at ldaps://trog.nikhef.nl/
