Difference between revisions of "Add a new user or group"
m (Add a new user moved to Add a new user or group: Wanted to expand the scope of the page to include adding groups) |
m |
||
Line 42: | Line 42: | ||
env HOME=/root ldapadd -x -W -D "cn=root,dc=physics,dc=unh,dc=edu" -v -f user.ldif | env HOME=/root ldapadd -x -W -D "cn=root,dc=physics,dc=unh,dc=edu" -v -f user.ldif | ||
+ | |||
+ | = Adding Groups = | ||
+ | |||
+ | [[Luma]] does not provide a convenient way to create new LDAP groups. An add group option exists but it won't allow you to set a gid number above 99. If you want your new user to have a private group as their primary group (or any group that doesn't already exist) you need to create it before creating the user account. The easiest way to add a new group is using the ldapadd command with an ldif file the [[LDAP#Changing_Items_the_.22hard.22_way:_ldapadd_.26_ldapmodify|"hard" way]] | ||
+ | |||
+ | Here's a sample LDIF file that should get you a basic group: | ||
+ | |||
+ | dn: cn=newgroup,ou=Group,dc=physics,dc=unh,dc=edu | ||
+ | cn: newgroup | ||
+ | gidNumber: 6000 | ||
+ | objectClass: posixGroup | ||
+ | |||
+ | Just change the name "newgroup" to your new group's name, and set the gidNumber to something reasonable like one above the highest currently used gid number. To quickly find out the highest gid currently in use login to [[Einstein]] and execute this command: | ||
+ | |||
+ | getent group | awk -F':' '{print $3}' | sort -n | ||
+ | |||
+ | Ignore the highest gid number (something like 4294967294). This is a system group used by NFS. Go with the one right before that. |
Revision as of 23:29, 22 November 2010
There are several ways to manipulate user accounts in our LDAP database. For more detailed information see the LDAP page.
GUI Applications
There are a couple of graphical applications for managing LDAP databases.
- Luma is a QT-based LDAP management application for Linux written in python. It should be available on all NPG workstations. Instructions for user management with Luma are here.
- Jxplorer is a java based graphical application for browsing and managing LDAP databases.
Adding users from the console
It appears that the the utilities /usr/sbin/luseradd, /usr/sbin/luserdel, and /usr/sbin/lusermod are intended to allow administrators to add, delete, and modify users from the command line. Unfortunately they don't seem to work in our LDAP environment. There is alternative method to add or modify LDAP entries using the ldapadd and ldapmodify commands, but it's a bit more complex. Here's a quick overview:
In order to add or modify entries this way you'll first need an LDIF file. You can export an existing entry in the LDAP directory using the Luma browser plugin, or via the ldapsearch command. Here's the command you need to export an existing entry to an ldif file:
ldapsearch -x -L 'uid=user' > user.ldif
Here is a sample LDIF file for a user account:
dn: uid=fry,ou=People,dc=physics,dc=unh,dc=edu uid: fry objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person loginShell: /bin/bash uidNumber: 6000 gidNumber: 6000 gecos: Phillip J. Fry sn: fry homeDirectory: /net/home/fry mail: PhillipJFry@planetexpress.com cn: Philip J. Fry
You can use the following command to add the contents of this ldif file to the LDAP database. If you're logged into Einstein as root run this command:
ldapadd -x -W -D "cn=root,dc=physics,dc=unh,dc=edu" -v -f user.ldif
NOTE: If you're running the command via sudo you need to explicitly set the home environment to root. This should do the trick:
env HOME=/root ldapadd -x -W -D "cn=root,dc=physics,dc=unh,dc=edu" -v -f user.ldif
Adding Groups
Luma does not provide a convenient way to create new LDAP groups. An add group option exists but it won't allow you to set a gid number above 99. If you want your new user to have a private group as their primary group (or any group that doesn't already exist) you need to create it before creating the user account. The easiest way to add a new group is using the ldapadd command with an ldif file the "hard" way
Here's a sample LDIF file that should get you a basic group:
dn: cn=newgroup,ou=Group,dc=physics,dc=unh,dc=edu cn: newgroup gidNumber: 6000 objectClass: posixGroup
Just change the name "newgroup" to your new group's name, and set the gidNumber to something reasonable like one above the highest currently used gid number. To quickly find out the highest gid currently in use login to Einstein and execute this command:
getent group | awk -F':' '{print $3}' | sort -n
Ignore the highest gid number (something like 4294967294). This is a system group used by NFS. Go with the one right before that.