close Warning: Can't synchronize with repository "(default)" (/common/SVN/wimax does not appear to be a Subversion repository.). Look in the Trac log for more information.

Changes between Version 8 and Version 9 of dSite/e0LDAP


Ignore:
Timestamp:
Oct 2, 2014, 10:42:10 AM (10 years ago)
Author:
seskar
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • dSite/e0LDAP

    v8 v9  
    5555}}}
    56561. Point the Firefox web browser to http://<console-ip-address>/phpldapadmin. Set password for group admin user (add attribute -> Password -> set password -> update object)
    57 1. Import initial content (first group and account that will be used as administrators for the Control Panel service): This is a brief reasoning behind the entries in the ldif file. Please change the file as per your organizational needs.
    58 Each organizational unit(ou) has a PI who is the admin for the OU and a group which has all the accounts for the OU. So that is why your first organization and first acount have to conform to such a structure.
    59 
    60 OU admin can only manage accounts for that organization.
    61 
    62 Any person that is a member of sysadmin group in LDAP and admin group in ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts
    63 {{{
    64    ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f init.ldif
    65 }}}
    66 8. Make sure you can access the service with admin credentials:
     571. Make sure you can access the service with admin credentials:
    6758{{{
    6859   ldapsearch -x   -b "dc=geni,dc=net"  "objectClass=organizationalRole"
     
    7364}}}
    7465
     66=== Import initial LDAP content ===
     67Import initial content consisting of first group and account that will be used as administrators for the range of services. The deployment assumes the following delegated accounting structure: users are organized into groups based on their organization or project (or in LDAP terms organizational units (OUs)). Each group can have number of administrators (or users with group management capabilities) but has to have one person who is the main administrator for the OU (the principal investigator - PI). While most of the account management is performed through Control Panel functions, the initial site administrator and the first OU need to be added to LDAP manually. That could be done through ''phpldapadmin'' or through LDIF configuration file and command line tools. LDIF config for initial import:
     68{{{
     69dn: ou=GENI,dc=geni,dc=net
     70objectClass: organizationalUnit
     71objectClass: top
     72structuralObjectClass: organizationalUnit
     73ou: GENI
     74description: GENI
     75businessCategory: Academic
     76
     77dn: cn=GENI,ou=GENI,dc=geni,dc=net
     78objectClass: posixGroup
     79cn: GENI
     80memberUid: globaladmin
     81gidNumber: 1001
     82
     83dn: uid=globaladmin,ou=GENI,dc=geni,dc=net
     84objectClass: inetOrgPerson
     85objectClass: posixAccount
     86objectClass: hostObject
     87objectClass: shadowAccount
     88objectClass: organizationalPerson
     89structuralObjectClass: inetOrgPerson
     90uid: globaladmin
     91sn: admin
     92givenName: global
     93cn: global admin
     94uidNumber: 1000
     95gidNumber: 1001
     96loginShell: /bin/bash
     97homeDirectory: /home/globaladmin
     98shadowExpire: -1
     99shadowFlag: 0
     100shadowWarning: 7
     101shadowMin: 8
     102shadowMax: 999999
     103shadowLastChange: 10877
     104mail: ivan@example.org
     105userPassword: password
     106o: GENI
     107host: null.orbit-lab.org
     108
     109dn: cn=GENI-admin,ou=GENI,dc=geni,dc=net
     110objectClass: posixGroup
     111cn: GENI-admin
     112memberUid: globaladmin
     113gidNumber: 1002
     114
     115dn: cn=admin,ou=GENI,dc=geni,dc=net
     116objectClass: organizationalRole
     117objectClass: top
     118cn: admin
     119structuralObjectClass: organizationalRole
     120roleOccupant: uid=globaladmin,ou=GENI,dc=geni,dc=net
     121}}}
     122Typically one needs to replace:
     123 1. Every occurrence of DN base in the file (i.e. do a global replace of '''dc=geni,dc=net''' with corresponding DN e.g. '''dc=rutgers,dc=edu''')
     124 1. Initial group/organization name (i.e. do a global replace of '''GENI'' with the group name e.g. '''Rutgers''')
     125 1. Personalize administrator account entries under ''''sn:''','''givenName:''','''mail:''' and '''userPassword:'''
     126 1. (optional) Initial administrator account user id (i.e. replace every occurrence of '''globaladmin''' with say '''ruadmin''')
     127
     128Also, any person that is a member of sysadmin group in LDAP and admin group in /etc/omf-aggmgr-5.4/ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts.
     129
     130In order to create initial LDAP structure:
     131 * Grab the initial configuration file that is attached to this page:
     132{{{
     133  wget http://wimax.orbit-lab.org/raw-attachment/wiki/WiMAX/dSite/e0LDAP/GENIinit.ldif
     134}}}
     135 * Modify it with your favorite editor
     136 * Import it into LDAP:
     137{{{
     138   ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f GENIinit.ldif
     139}}}
     140
     141