Difference between revisions of "Creating Pool Accounts With LDAP"

From PDP/Grid Wiki
Jump to navigationJump to search
(Replaced content with "This page has moved to [https://wiki.nikhef.nl/nikhef/ctb/NDPF:Creating_Pool_Accounts_With_LDAP the internal CTB Wiki].")
Line 1: Line 1:
This page has moved to [https://wiki.nikhef.nl/nikhef/ctb/NDPF:Creating_Pool_Accounts_With_LDAP the internal CTB Wiki].
== The LDAP directory structure  ==
The list of valid users of the NDPF is kept in a central LDAP directory, currently hosted on <tt>teugel.nikhef.nl</tt>. This directory contains both the "local" users as well as all poolaccounts and all automount map entries. The structure of the directory is:
+ dc=farmnet,dc=nikhef,dc=nl
  + ou=Managers
  + ou=LocalGroups (<i>contains all groups!</i>)
  + ou=LocalUsers
  + ou=Poolaccounts
    + ou=dteam
    + ou=ops
  + ou=automount
    + ou=auto.home
    + ou=lcgprod
      + ou=auto.sedata
      + ou=auto.share
      + ou=auto.stage
      + ou=auto.sedata2
The <tt>ou=Poolaccounts</tt> entry contains the hierarchy of pool account groups. Per pool account group, there is a separate <tt>ou</tt>, which contains the actual list of pool accounts. Each account is named by its <tt>uid</tt>, and is of objectClass "posixAccount". For each account named here, there should be a corresponding entry in the <tt>ou=pool,ou=auto.home,ou=automount</tt> branch of the tree as well (of objectClass "automount").
== Creating accounts for a new VO ==
The <tt>ndpfpooladd</tt> script is part of the ndpfuseradd package from version 1.1 and higher.
You can run it from any host where this package is installed, provided that
* you can connect securely to the ldap server (currently teugel.nikhef.nl port 636)
* you have root access on the NFS server and gridmapdir server via ssk keys, and you access these through an ssh agent
The documentation is not complete but the help is usable. Anyway, it's virtually all
automatic now :-)
The pool accounts created have an immutable .ssh directory, so that pool users cannot
add their own ssh keys and come back later!
The ndpfpooladd utility creates new pools of accounts for VOs in the NDPF. It
handles all of the LDAP, NFS and gridmapdir interactions from a single host,
provided you have your SSH public keys loaded in an agent (using passwords
is too error-prone and enticing).
Usage: ndpfpooladd [--help] [-c|--config configfile] [-v[v[v]]] [-H ldapuri]
  [--base ldapbaseDIT] [--automountbase DIT] [--ldapuidbase DIT]
  [--homedirhost FQDN] [--homedirdirname dir]
  [--gridmapdirhost FQDN] [--gridmapdirdirname dir]
  [--(no-)updateldap] [--(no-)updateNFS] [--(no-)updateGMD]
  [-u|--updatecn RDN]
  [-g unixgid] [--vo|--poolname poolname] [-b|--baseuid uidNumber]
  [-l|--length numerals] [-n|--naccounts n] [-s|--startserial serial]
Note: the option --vo does not indicate the name of the VO,
      but the basename of the poolaccounts to be created.
  Create 100 accounts for the new "atltst" VO, from uid 90100:
  (first create a new Unix group, e.g. atlastst with gidNumber e.g. 2099)
    ndpfpooladd -u "David Groep" -g atlastst -b 90100 \
            -l 2 --vo atltst -n 100
  To add 50 extra accounts to this pool, from a fresh uidNumber range:
    ndpfpooladd -u "David Groep" -g atlastst -b 91300 \
            -l 2 --vo atltst -n 50 -s 100
  note that the uidNumber ranges need not be contiguous.
The rest of the commandline options are set to reasonable defaults in
the source, but can be overridden in a configuration file specified
with the "-c" option, or in $HOME/.ndpfpooladdrc
- some basic checks on uidNumber availability are performed: the first
  and last uid of a range must not be in use
- if one part fails (e.g. NFS), start by disabling the previous steps
  with the --no-updateXXX options
  So, if LDAP succeeded but creating the directories failed, retry with
- new Unix groups MUST be manually created in the LDAP directory
- If you get bored with the "-u" option, add a .ndpfpooladdrc file in
  your $HOME with the content:
    $updatecn="David Groep"
== Repairing an empty gridmapdir ==
For this you need the backup file that's generated nightly by the <tt>poolmaplog</tt> script from cron. The file format is simple:
uid  subjectDN_in_lowercase
btu for use in the gridmapdir the special chars (so painstackingly converted to readable format by poolmaplog) must be concerted back. This is the task of the <tt>repair-pool</tt> script. As far as I know, these are the special characters:
% / &lt;space&gt; = ( ) - . @
the repair-pool script will translate these to URL-escaped characters (ie. "=" becomes "%3D" -- note that we must thus convert any %-signs first!)
The script will automatically relink the poolaccounts to the proper DN for those accounts that were in use (i.e. has a DN assigned to them).  You should only attempt repair if the pooldir is empty!
./repair-pool < /export/perm/share/gridmapdir/.poolmap.20050816
and watch the results.
This utility is part of the manage-gridmap package!
== Migrating the poolaccounts in the LDAP directory ==
When the poolaccounts are migrated to a new system (schuur.nikhef.nl), the
LDAP directory needs to be updated to reflect the new location. To this end,
a new script is now available on <tt>hooimijt:/export/perm/adm/bin</tt>:
./migrate_poolacc_dir_ldap [--uid=''uidpattern'']
which generates LDIF output with the directory updates. You can apply the LDIF
modification with the command
ldapmodify -x -W -D "cn=''Your Name'',ou=Managers,dc=farmnet,dc=nikhef,dc=nl" -H ldap://trog.nikhef.nl/ -f ''ldif_file''
The default is to expect the poolaccount home to be on
It will look for appropriately named poolaccounts under <tt>ou=pool,ou=auto.home,ou=automount,dc=farmnet,dc=nikhef,dc=nl</tt>
''PS: also the gen_poolacc_dir script has been changed to use the new poolaccount homedirectory format. The output of this gen_poolacc_dir scfipt is a shell script to be executed on the physical filesystem-hosting node.''

Latest revision as of 14:54, 4 December 2017

This page has moved to the internal CTB Wiki.