Tags:
create new tag
view all tags

LDAP @ CITHEP systems

This is a short tutorial on how to do some operations using PHPLDAPAdmin. Assuming that you already know a bit about LDAP, focusing on the specifics to get the job done.

Connecting to PLA

URL is : http://cms-ldap2.caltech.edu/phpldapadmin/ If your machine is in the ACL.

  • You will have to use as a login, the known ADMIN full DN.
  • Usual bind pw

Managing users

Our schema was mostly standard, so I didn't have to do anything for the system to recognize all users and groups already in place. Beautiful. What got tricky was to insert new users as the default template was missing some objectClasses we need and also defaulting some fields that we don't want.

I had to create a new account template adapting to our needs. Almost everything is already in place. Could be better but is already MUCH better than the hassle we had crafting LDIFs by hand. So here are the steps :

  • Under ou=cms,ou=hep,dc=caltech,dc=edu (134), click on "add new entry here"
  • Chose "Caltech: User Account"
  • Most of the fields are pretty obvious, specially if you did the LDIF by hand before. The tricks are :
    • Password - the encryption we use is MD5, you have to set it by hand in the dropbox, otherwise authentication won't work.
    • Even though I set the template to autocomplete home with /home/uid it's putting this /home/users string. Correct by hand
    • Login shell - Bash -- although it's written this, the template pointed to "sh", I had to fix it by hand. Now it's fine.
That should be all for adding an user.

Adding users to groups

There's also a section "ou=groups (48)" that is pretty obvious. Just click on the group you want to add, have the uid in hand, add an entry at the end similar to the ones above (same thing as with the LDIFs).

Advantage is that it will show you the diff before commiting.

For the basic operations we need now, that's all you need to know.

Future possibilities

  • We can eventually give access to users so they can update their settings such as SSH public keys or anything else by hand. Users can also login with their DN/Password. But for security and priority reasons, this will be in the future.
  • We need to setup SSL for the server, so we don't have passwords flying around by HTTP.

-- Main.samir - 2014-04-24

Edit | Attach | Watch | Print version | History: r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r1 - 2014-04-24 - samir
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback