Luma
Luma is a Python & QT based graphical utility for managing data stored in LDAP servers. With it you can manage the LDAP database on Einstein, including adding, editing and deleting user accounts and groups. Luma uses a modular design that consists of several plugins that each provides a different way of working with an LDAP database. The Browser and User Management plugins are the most useful, and this article will focus on their use with respect to the LDAP database on Einstein.
Configuring Luma to work with Einstein
The following settings will enable you to access LDAP on Einstein with administrator privileges. I shouldn't have to tell you that this means you need to be EXTREMELY CAREFUL when accessing LDAP with these settings.
- Start Luma and choose Settings -> Edit Server List.. (or press Ctrl+E). This should open the Server settings dialogue.
- Click Add... and then enter a name for your connection into the prompt (I just use einstein.unh.edu). The new server should appear in the Server list after you click OK.
- Click the server you just created to expand its options, and then select Network options.
- Enter the following network settings (use the encrypted LDAP port for greater security):
- Hostname: einstein.unh.edu
- Port: 636
- Encryption: SSL (Secure Socket Layer)
- Select Authentication. Uncheck Anonymous bind and enter these authentication settings:
- Mechanism: Simple
- Bind as: cn=root,dc=physics,dc=unh,dc=edu
- DO NOT enter a password here. Luma will store the password in plaintext in your home folder. Just leave it blank so that Luma will prompt you each time you access LDAP.
- Select LDAP Options
- Uncheck "Use Base DNs provided by the server" and then click Edit BaseDN list
- In the Custom: box enter dc=physics,dc=unh,dc=edu and then click Add, and then click OK.
User Management with Luma
Luma allows you to manage user accounts in two ways. The Browser plugin allows you to browse the LDAP tree and edit entries. The User Management plugin lets you add, edit an In order to manage user accounts in Luma follow these instructions:
- Select the User Management plugin
- Select einstein.unh.edu from the server drop-down.Luma will prompt you for your password. If you used the above setup instructions you will need to use the administrator password for LDAP.
- The box in the bottom left of the window should be populated with a list of existing user accounts. From here you can edit or delete existing accounts as well as add new ones.
- Changes will NOT be saved until you click the save button at the top of the screen. Exiting Luma will abandon your unsaved changes.
Adding Users
Follow these instructions to create a new LDAP user account with Luma:
Click the Add button in the User Management plugin to add a new user account. First you must select the location in the LDAP database to store the new account. The location for user accounts should be ou=People,dc=physics,dc=unh,dc=edu@einstein.unh.edu. You can either enter this directly or navigate to it by expanding the LDAP tree structure.
After this click Next and you will be presented with the add new user screen.
- "User ID" should be the username for the new account.
- "Common name" should be the person's actual name.
- "Valid until" should be set to some date after the current date otherwise the account won't work. A year from the current date should be fine.
- "Primary Group" for npg users should be npg (gid 5012). To set the user's group memberships click "Manage group memberships". If you want to assign the user to a group does not already exist see the section below about Adding Groups
- Remember that the user's home folder should be set to /net/home/username (make sure you created the folder beforehand).
- Click "Change password..." to set a password for the user. Select crypt from the hash algorithm drop down so that the password isn't stored in plaintext.
- Click Add.. underneath Mail to add an e-mail address. It's a good idea to add a non-npg e-mail address so we have a secondary way to contact users if Einstein is unavailable for some reason.
Once you've filled out the form just click Finish and the new user will be saved to the LDAP database. The account should now be accessible from all NPG machines.
Important: Luma will not create the user's home or mail directories for you. After you add the user to LDAP you need to make sure to create them and assign the correct permissions to them before the user tries to log in. Home and mail folders are located on Gourd in /home and /mail. Use these commands (as root) to create the new folders and to assign the correct permissions:
mkdir /home/newuser /mail/newuser chown newuser:npg /home/newuser chown newuser:mail /mail/newuser
Adding Groups
Luma does not provide a convenient way to create new LDAP groups. An add group option exists but it won't allow you to set a gid number above 99. If you want your new user to have a private group for your user (or any group that doesn't already exist) you need to create it before creating the user account. As odd as it sounds the simplest way I've found to do that is by doing it "hard" way using the ldapadd command with an ldif file.
Here's a sample LDIF file that should get you a basic group:
dn: cn=newgroup,ou=Group,dc=physics,dc=unh,dc=edu cn: newgroup gidNumber: 6000 objectClass: posixGroup
Just change the name "newgroup" to your new group's name, and set the gidNumber to something reasonable like one above the highest currently used gid number. To quickly find out the highest gid currently in use login to Einstein and execute this command:
getent group | awk -F':' '{print $3}' | sort -n
Ignore the highest gid number (something like 4294967294). This is a system group used by NFS. Go with the one right before that.