Luma
Luma is a Python & QT based graphical utility for managing data stored in LDAP servers. It can be used to edit the LDAP database on Einstein, including adding or deleting user accounts and groups. Luma has a modular structure and consists of several plugins that each provide different ways of working with LDAP. The two plugins we are primarily concerned with are Browser and User management.
Configuring Luma to work with Einstein
The following settings will enable you to access LDAP on Einstein with administrator privileges. I shouldn't have to tell you that this means you need to be EXTREMELY CAREFUL when accessing LDAP with these settings.
- Start Luma and choose Settings -> Edit Server List.. (or press Ctrl+E). This should open the Server settings dialogue.
- Click Add... and then enter a name for your connection into the prompt (I just use einstein.unh.edu). The new server should appear in the Server list after you click OK.
- Click the server you just created to expand its options, and then select Network options.
- Enter the following network settings (use the encrypted LDAP port for greater security):
- Hostname: einstein.unh.edu
- Port: 636
- Encryption: SSL (Secure Socket Layer)
 
- Select Authentication. Uncheck Anonymous bind and enter these authentication settings:
- Mechanism: Simple
- Bind as: cn=root,dc=physics,dc=unh,dc=edu
- DO NOT enter a password here. Luma will store the password in plaintext in your home folder. Just leave it blank so that Luma will prompt you each time you access LDAP.
 
- Select LDAP Options
- Uncheck "Use Base DNs provided by the server" and then click Edit BaseDN list
- In the Custom: box enter dc=physics,dc=unh,dc=edu and then click Add, and then click OK.
 
User Management with Luma
In order to manage user accounts in Luma follow these instructions:
- Select the User Management plugin
- Select einstein.unh.edu from the server drop-down. At this point Luma will prompt you for your password. If you used the above setup instructions you need to use the administrator password for LDAP.
- The box in the bottom left of the window should be populated with a list of existing user accounts. From here you can edit or delete existing accounts as well as add new ones.
- Changes will NOT be saved until you click the save button at the top of the screen. Exiting Luma will abandon your unsaved changes.
Adding Users
NOTE: Luma will not create user directories for you. Before you use Luma to add a user you need to login to Gourd and create a home folder and mail folder for the new user account in /home and /mail respectively. Once you've created the new account change their ownership to the newly created user account before the user tries to login with it.
Click the Add button in the User Management plugin to add a new user account. First you must select the location in the LDAP database to store the new account. The location for user accounts should be ou=People,dc=physics,dc=unh,dc=edu@einstein.unh.edu. You can either enter this directly or navigate to it by expanding the LDAP tree structure.
After this click Next and you will be presented with the add new user screen. Most of this should be self explanatory. "User ID" should be the username for the new account. "Common name" should be the person's actual name. "Valid until" should be set to some date after the current date otherwise the account won't work. A year from the current date should be fine. "Primary Group" for npg users should be npg (gid 5012). To set the user's group memberships click "Manage group memberships".
Remember that the user's home folder should be set to /net/home/username (make sure you created the folder beforehand).
A note about Groups
Luma does not provide a convenient way to create new LDAP groups. An add group option exists but it won't allow you to set a gid number above 99. If you want your new user to have a private group for your user (or any group that doesn't already exist) you need to create it before creating the user account. As odd as it sounds the simplest way I've found to do that is by doing it "hard" way using the ldapadd command with an ldif file.
Here's a sample LDIF file that should get you a basic group:
dn: cn=newgroup,ou=Group,dc=physics,dc=unh,dc=edu cn: newgroup gidNumber: 6000 objectClass: posixGroup
Just change the name "newgroup" to your new group's name, and set the gidNumber to something reasonable like one above the highest currently used gid number. To quickly find out the highest gid currently in use login to Einstein and execute this command:
getent group | awk -F':' '{print $3}' | sort -n
Ignore the highest gid number (something like 4294967294). This is a system group used by NFS. Go with the one right before that.


