57 | | 1. Import initial content (first group and account that will be used as administrators for the Control Panel service): This is a brief reasoning behind the entries in the ldif file. Please change the file as per your organizational needs. |
58 | | Each organizational unit(ou) has a PI who is the admin for the OU and a group which has all the accounts for the OU. So that is why your first organization and first acount have to conform to such a structure. |
59 | | |
60 | | OU admin can only manage accounts for that organization. |
61 | | |
62 | | Any person that is a member of sysadmin group in LDAP and admin group in ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts |
63 | | {{{ |
64 | | ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f init.ldif |
65 | | }}} |
66 | | 8. Make sure you can access the service with admin credentials: |
| 57 | 1. Make sure you can access the service with admin credentials: |
| 66 | === Import initial LDAP content === |
| 67 | Import initial content consisting of first group and account that will be used as administrators for the range of services. The deployment assumes the following delegated accounting structure: users are organized into groups based on their organization or project (or in LDAP terms organizational units (OUs)). Each group can have number of administrators (or users with group management capabilities) but has to have one person who is the main administrator for the OU (the principal investigator - PI). While most of the account management is performed through Control Panel functions, the initial site administrator and the first OU need to be added to LDAP manually. That could be done through ''phpldapadmin'' or through LDIF configuration file and command line tools. LDIF config for initial import: |
| 68 | {{{ |
| 69 | dn: ou=GENI,dc=geni,dc=net |
| 70 | objectClass: organizationalUnit |
| 71 | objectClass: top |
| 72 | structuralObjectClass: organizationalUnit |
| 73 | ou: GENI |
| 74 | description: GENI |
| 75 | businessCategory: Academic |
| 76 | |
| 77 | dn: cn=GENI,ou=GENI,dc=geni,dc=net |
| 78 | objectClass: posixGroup |
| 79 | cn: GENI |
| 80 | memberUid: globaladmin |
| 81 | gidNumber: 1001 |
| 82 | |
| 83 | dn: uid=globaladmin,ou=GENI,dc=geni,dc=net |
| 84 | objectClass: inetOrgPerson |
| 85 | objectClass: posixAccount |
| 86 | objectClass: hostObject |
| 87 | objectClass: shadowAccount |
| 88 | objectClass: organizationalPerson |
| 89 | structuralObjectClass: inetOrgPerson |
| 90 | uid: globaladmin |
| 91 | sn: admin |
| 92 | givenName: global |
| 93 | cn: global admin |
| 94 | uidNumber: 1000 |
| 95 | gidNumber: 1001 |
| 96 | loginShell: /bin/bash |
| 97 | homeDirectory: /home/globaladmin |
| 98 | shadowExpire: -1 |
| 99 | shadowFlag: 0 |
| 100 | shadowWarning: 7 |
| 101 | shadowMin: 8 |
| 102 | shadowMax: 999999 |
| 103 | shadowLastChange: 10877 |
| 104 | mail: ivan@example.org |
| 105 | userPassword: password |
| 106 | o: GENI |
| 107 | host: null.orbit-lab.org |
| 108 | |
| 109 | dn: cn=GENI-admin,ou=GENI,dc=geni,dc=net |
| 110 | objectClass: posixGroup |
| 111 | cn: GENI-admin |
| 112 | memberUid: globaladmin |
| 113 | gidNumber: 1002 |
| 114 | |
| 115 | dn: cn=admin,ou=GENI,dc=geni,dc=net |
| 116 | objectClass: organizationalRole |
| 117 | objectClass: top |
| 118 | cn: admin |
| 119 | structuralObjectClass: organizationalRole |
| 120 | roleOccupant: uid=globaladmin,ou=GENI,dc=geni,dc=net |
| 121 | }}} |
| 122 | Typically one needs to replace: |
| 123 | 1. Every occurrence of DN base in the file (i.e. do a global replace of '''dc=geni,dc=net''' with corresponding DN e.g. '''dc=rutgers,dc=edu''') |
| 124 | 1. Initial group/organization name (i.e. do a global replace of '''GENI'' with the group name e.g. '''Rutgers''') |
| 125 | 1. Personalize administrator account entries under ''''sn:''','''givenName:''','''mail:''' and '''userPassword:''' |
| 126 | 1. (optional) Initial administrator account user id (i.e. replace every occurrence of '''globaladmin''' with say '''ruadmin''') |
| 127 | |
| 128 | Also, any person that is a member of sysadmin group in LDAP and admin group in /etc/omf-aggmgr-5.4/ogs-aggmgr.yaml will be able to use Control Panel to manage ALL accounts. |
| 129 | |
| 130 | In order to create initial LDAP structure: |
| 131 | * Grab the initial configuration file that is attached to this page: |
| 132 | {{{ |
| 133 | wget http://wimax.orbit-lab.org/raw-attachment/wiki/WiMAX/dSite/e0LDAP/GENIinit.ldif |
| 134 | }}} |
| 135 | * Modify it with your favorite editor |
| 136 | * Import it into LDAP: |
| 137 | {{{ |
| 138 | ldapadd -vvv -x -D cn=admin,dc=geni,dc=net -H ldap:/// -W -f GENIinit.ldif |
| 139 | }}} |
| 140 | |
| 141 | |