Difference between revisions of "Add a new user or group"
| m | |||
| (16 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
| − | There are  | + | There are two separate NPG user databases to which you may wish to add a user. Unix accounts for the servers and Linux workstations are provided by [[LDAP]] on [[Einstein]]. <strike>User accounts for Mac workstations are maintained by the Open Directory (Mac LDAP) service on [[okra]].</strike>  | 
| − | =GUI Applications= | + | When creating a new account you need to first decide if it will be Linux only or if the user needs to be able to use the Mac workstations. If you're making a Mac account make sure to create a matching Linux/Unix account with the same username and uid to give the user access to servers and e-mail. | 
| + | |||
| + | =Creating Linux Accounts= | ||
| + | |||
| + | There are several ways to add a new user to an OpenLDAP database. There are both GUI and console based methods (which are detailed below). Make sure when creating a new Linux accounts that home folders and mail folders for each user are stored on Gourd in /home and /mail respectively, and that you need to create these folders manually and assign the correct permissions before users will be able to access their accounts.  | ||
| + | |||
| + | ==GUI Applications== | ||
| There are a couple of graphical applications for managing LDAP databases.   | There are a couple of graphical applications for managing LDAP databases.   | ||
| Line 7: | Line 13: | ||
| *[[Luma]] is a QT-based LDAP management application for Linux written in python. It should be available on all NPG workstations. Instructions for user management with Luma are [[Luma#User_Management_with_Luma|here]].   | *[[Luma]] is a QT-based LDAP management application for Linux written in python. It should be available on all NPG workstations. Instructions for user management with Luma are [[Luma#User_Management_with_Luma|here]].   | ||
| *[http://jxplorer.org/ Jxplorer] is a java based graphical application for browsing and managing LDAP databases. | *[http://jxplorer.org/ Jxplorer] is a java based graphical application for browsing and managing LDAP databases. | ||
| + | *[http://web.anl.gov/techtransfer/Software_Shop/LDAP.html lbe] is a user-friendly interface to LDAP directories with browsing and editing capabilities. | ||
| − | =Adding users from the console= | + | ==Adding users from the console== | 
| It appears that the the utilities /usr/sbin/luseradd, /usr/sbin/luserdel, and /usr/sbin/lusermod are intended to allow administrators to add, delete, and modify users from the command line. Unfortunately they don't seem to work in our LDAP environment. There is alternative method to add or modify LDAP entries using the ldapadd and ldapmodify commands, but it's a bit more complex. Here's a quick overview: | It appears that the the utilities /usr/sbin/luseradd, /usr/sbin/luserdel, and /usr/sbin/lusermod are intended to allow administrators to add, delete, and modify users from the command line. Unfortunately they don't seem to work in our LDAP environment. There is alternative method to add or modify LDAP entries using the ldapadd and ldapmodify commands, but it's a bit more complex. Here's a quick overview: | ||
| − | In order to add or modify entries this way you'll first need an LDIF file. You can export an existing entry in the LDAP using the [[Luma]] browser plugin, or via the ldapsearch command. Here's the command you need to export an existing entry to an ldif file:   | + | In order to add or modify entries this way you'll first need an LDIF file. You can export an existing entry in the LDAP directory using the [[Luma]] browser plugin, or via the ldapsearch command. Here's the command you need to export an existing entry to an ldif file:   | 
| − |   ldapsearch -x -L 'uid= | + |   ldapsearch -x -L 'uid=user' > user.ldif | 
| Here is a sample LDIF file for a user account: | Here is a sample LDIF file for a user account: | ||
| − | |||
|   dn: uid=fry,ou=People,dc=physics,dc=unh,dc=edu |   dn: uid=fry,ou=People,dc=physics,dc=unh,dc=edu | ||
|   uid: fry |   uid: fry | ||
| Line 31: | Line 37: | ||
|   gidNumber: 6000 |   gidNumber: 6000 | ||
|   gecos: Phillip J. Fry |   gecos: Phillip J. Fry | ||
| − |   sn:  | + |   sn: fry | 
|   homeDirectory: /net/home/fry |   homeDirectory: /net/home/fry | ||
| − |   mail: PhillipJFry@ | + |   mail: PhillipJFry@planetexpress.com | 
|   cn: Philip J. Fry |   cn: Philip J. Fry | ||
| You can use the following command to add the contents of this ldif file to the LDAP database. If you're logged into [[Einstein]] as root run this command: | You can use the following command to add the contents of this ldif file to the LDAP database. If you're logged into [[Einstein]] as root run this command: | ||
| − |   ldapadd  -x -W -D "cn=root,dc=physics,dc=unh,dc=edu" -v -f  | + |   ldapadd  -x -W -D "cn=root,dc=physics,dc=unh,dc=edu" -v -f user.ldif | 
| NOTE: If you're running the command via sudo you need to explicitly set the home environment to root. This should do the trick: | NOTE: If you're running the command via sudo you need to explicitly set the home environment to root. This should do the trick: | ||
| − |    env HOME=/root ldapadd  -x -W -D "cn=root,dc=physics,dc=unh,dc=edu" -v -f  | + |    env HOME=/root ldapadd  -x -W -D "cn=root,dc=physics,dc=unh,dc=edu" -v -f user.ldif | 
| + | |||
| + | == Adding Groups == | ||
| + | |||
| + | [[Luma]] does not provide a convenient way to create new LDAP groups. An add group option exists but it won't allow you to set a gid number above 99. If you want your new user to have a private group as their primary group (or any group that doesn't already exist) you need to create it before creating the user account. You can add a new group via the command line using the ldapadd command with an ldif file, which is detailed on the [[LDAP]] page under the section for  the [[LDAP#Changing_Items_the_.22hard.22_way:_ldapadd_.26_ldapmodify|"hard" way]] | ||
| + | |||
| + | Here's a sample LDIF file that should get you a basic group: | ||
| + | |||
| + |  dn: cn=newgroup,ou=Group,dc=physics,dc=unh,dc=edu | ||
| + |  cn: newgroup | ||
| + |  gidNumber: 6000 | ||
| + |  objectClass: posixGroup | ||
| + | |||
| + | Just change the name "newgroup" to your new group's name, and set the gidNumber to something reasonable, like one above the highest currently used gid number (ignore the highest gid number. This is a system group used by Red Hat for NFS). Go with the one right before that, or if there is some gap in GID numbers (for example the list skips from 4039 to 4050), you can use one of those numbers to fill in those gaps. To quickly find out the highest gid numbers currently in use login to [[Einstein]] and execute this command: | ||
| + | |||
| + |  getent group | awk -F':' '{print $3}' | sort -nr | head -n 20 | ||
| + | |||
| + | Once you've edited the LDIF file you can then use the above ldapadd command to add the group into the LDAP database. | ||
| + | |||
| + | =<strike>Creating Mac Accounts</strike>= | ||
| + | |||
| + | [http://nuclear.unh.edu/wiki/index.php?title=Okra#OKRA_IS_NOW_OBSOLETE '''OKRA IS NOW OBSOLETE'''] | ||
| + | |||
| + | <strike>The [[Workgroup Manager]] application on [[okra]] is used to add new user accounts on the Mac systems. | ||
| + | |||
| + | When you launch [[Workgroup Manager]] it will ask you for a user and password. The user is admin and the pass is okra's root password. | ||
| + | |||
| + | You the need to click on the little lock button in the upper right hand corner of the screen before you can edit anything. The username for this prompt is diradmin, the pass is still okra's root password. | ||
| + | |||
| + | Lastly go to the 'Home' tab in the Workgroup Manager and add a home directory on okra. | ||
| + | |||
| + | == Over vnc == | ||
| + | |||
| + | If you are on another computer and do not wish to go into the sever room to use okra, you can vnc to okra in order to add user accounts. | ||
| + | |||
| + | First, forward port 5900 to the localhost. If the computer you are on is using port 5900 (one of the macs with vnc on it) user another, maybe 5908. | ||
| + | |||
| + |  ssh -L 5908:localhost:5900 username@okra | ||
| + | </strike> | ||
| + | |||
| + | =Creating Mac Accounts= | ||
| + | |||
| + | Each Mac is now treated as an individual machine without direct connection to a central server. For new Mac clients, first set them up with an Administrator account with the normal password. User accounts should be added as "Standard" accounts, and if so desired a secondary "AdminInstall" account can be set up with limited admin permissions so that users can install the software they need on their own. | ||
Latest revision as of 13:41, 24 September 2014
There are two separate NPG user databases to which you may wish to add a user. Unix accounts for the servers and Linux workstations are provided by LDAP on Einstein. User accounts for Mac workstations are maintained by the Open Directory (Mac LDAP) service on okra. 
When creating a new account you need to first decide if it will be Linux only or if the user needs to be able to use the Mac workstations. If you're making a Mac account make sure to create a matching Linux/Unix account with the same username and uid to give the user access to servers and e-mail.
Creating Linux Accounts
There are several ways to add a new user to an OpenLDAP database. There are both GUI and console based methods (which are detailed below). Make sure when creating a new Linux accounts that home folders and mail folders for each user are stored on Gourd in /home and /mail respectively, and that you need to create these folders manually and assign the correct permissions before users will be able to access their accounts.
GUI Applications
There are a couple of graphical applications for managing LDAP databases.
- Luma is a QT-based LDAP management application for Linux written in python. It should be available on all NPG workstations. Instructions for user management with Luma are here.
- Jxplorer is a java based graphical application for browsing and managing LDAP databases.
- lbe is a user-friendly interface to LDAP directories with browsing and editing capabilities.
Adding users from the console
It appears that the the utilities /usr/sbin/luseradd, /usr/sbin/luserdel, and /usr/sbin/lusermod are intended to allow administrators to add, delete, and modify users from the command line. Unfortunately they don't seem to work in our LDAP environment. There is alternative method to add or modify LDAP entries using the ldapadd and ldapmodify commands, but it's a bit more complex. Here's a quick overview:
In order to add or modify entries this way you'll first need an LDIF file. You can export an existing entry in the LDAP directory using the Luma browser plugin, or via the ldapsearch command. Here's the command you need to export an existing entry to an ldif file:
ldapsearch -x -L 'uid=user' > user.ldif
Here is a sample LDIF file for a user account:
dn: uid=fry,ou=People,dc=physics,dc=unh,dc=edu uid: fry objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person loginShell: /bin/bash uidNumber: 6000 gidNumber: 6000 gecos: Phillip J. Fry sn: fry homeDirectory: /net/home/fry mail: PhillipJFry@planetexpress.com cn: Philip J. Fry
You can use the following command to add the contents of this ldif file to the LDAP database. If you're logged into Einstein as root run this command:
ldapadd -x -W -D "cn=root,dc=physics,dc=unh,dc=edu" -v -f user.ldif
NOTE: If you're running the command via sudo you need to explicitly set the home environment to root. This should do the trick:
env HOME=/root ldapadd -x -W -D "cn=root,dc=physics,dc=unh,dc=edu" -v -f user.ldif
Adding Groups
Luma does not provide a convenient way to create new LDAP groups. An add group option exists but it won't allow you to set a gid number above 99. If you want your new user to have a private group as their primary group (or any group that doesn't already exist) you need to create it before creating the user account. You can add a new group via the command line using the ldapadd command with an ldif file, which is detailed on the LDAP page under the section for the "hard" way
Here's a sample LDIF file that should get you a basic group:
dn: cn=newgroup,ou=Group,dc=physics,dc=unh,dc=edu cn: newgroup gidNumber: 6000 objectClass: posixGroup
Just change the name "newgroup" to your new group's name, and set the gidNumber to something reasonable, like one above the highest currently used gid number (ignore the highest gid number. This is a system group used by Red Hat for NFS). Go with the one right before that, or if there is some gap in GID numbers (for example the list skips from 4039 to 4050), you can use one of those numbers to fill in those gaps. To quickly find out the highest gid numbers currently in use login to Einstein and execute this command:
getent group | awk -F':' '{print $3}' | sort -nr | head -n 20
Once you've edited the LDIF file you can then use the above ldapadd command to add the group into the LDAP database.
Creating Mac Accounts
The Workgroup Manager application on okra is used to add new user accounts on the Mac systems.
When you launch Workgroup Manager it will ask you for a user and password. The user is admin and the pass is okra's root password.
You the need to click on the little lock button in the upper right hand corner of the screen before you can edit anything. The username for this prompt is diradmin, the pass is still okra's root password.
Lastly go to the 'Home' tab in the Workgroup Manager and add a home directory on okra.
Over vnc
If you are on another computer and do not wish to go into the sever room to use okra, you can vnc to okra in order to add user accounts.
First, forward port 5900 to the localhost. If the computer you are on is using port 5900 (one of the macs with vnc on it) user another, maybe 5908.
ssh -L 5908:localhost:5900 username@okra
Creating Mac Accounts
Each Mac is now treated as an individual machine without direct connection to a central server. For new Mac clients, first set them up with an Administrator account with the normal password. User accounts should be added as "Standard" accounts, and if so desired a secondary "AdminInstall" account can be set up with limited admin permissions so that users can install the software they need on their own.
