Difference between revisions of "Add a new user or group"
m |
|||
| Line 1: | Line 1: | ||
| − | There are | + | There are two separate NPG user databases to which you may wish to add a user. Unix accounts for the servers and Linux workstations are provided by [[LDAP]] on [[Einstein]]. User accounts for Mac workstations are maintained by the Open Directory (Mac LDAP) service on [[okra]]. |
| − | =GUI Applications= | + | When creating a new account you need to first decide if it will be Linux only or if the user needs to be able to use the Mac workstations. If you're making a Mac account make sure to create a matching Linux/Unix account with the same username and uid to give the user access to servers and e-mail. |
| + | |||
| + | =Creating Linux Accounts= | ||
| + | |||
| + | There are several ways to add a new user to an OpenLDAP database. There are both GUI and console based methods (which are detailed below). Make sure when creating a new Linux accounts that home folders and mail folders for each user are stored on Gourd in /home and /mail respectively, and that you need to create these folders manually and assign the correct permissions before users will be able to access their accounts. | ||
| + | |||
| + | ==GUI Applications== | ||
There are a couple of graphical applications for managing LDAP databases. | There are a couple of graphical applications for managing LDAP databases. | ||
| Line 8: | Line 14: | ||
*[http://jxplorer.org/ Jxplorer] is a java based graphical application for browsing and managing LDAP databases. | *[http://jxplorer.org/ Jxplorer] is a java based graphical application for browsing and managing LDAP databases. | ||
| − | =Adding users from the console= | + | ==Adding users from the console== |
It appears that the the utilities /usr/sbin/luseradd, /usr/sbin/luserdel, and /usr/sbin/lusermod are intended to allow administrators to add, delete, and modify users from the command line. Unfortunately they don't seem to work in our LDAP environment. There is alternative method to add or modify LDAP entries using the ldapadd and ldapmodify commands, but it's a bit more complex. Here's a quick overview: | It appears that the the utilities /usr/sbin/luseradd, /usr/sbin/luserdel, and /usr/sbin/lusermod are intended to allow administrators to add, delete, and modify users from the command line. Unfortunately they don't seem to work in our LDAP environment. There is alternative method to add or modify LDAP entries using the ldapadd and ldapmodify commands, but it's a bit more complex. Here's a quick overview: | ||
| Line 43: | Line 49: | ||
env HOME=/root ldapadd -x -W -D "cn=root,dc=physics,dc=unh,dc=edu" -v -f user.ldif | env HOME=/root ldapadd -x -W -D "cn=root,dc=physics,dc=unh,dc=edu" -v -f user.ldif | ||
| − | = Adding Groups = | + | == Adding Groups == |
[[Luma]] does not provide a convenient way to create new LDAP groups. An add group option exists but it won't allow you to set a gid number above 99. If you want your new user to have a private group as their primary group (or any group that doesn't already exist) you need to create it before creating the user account. The easiest way to add a new group is using the ldapadd command with an ldif file the [[LDAP#Changing_Items_the_.22hard.22_way:_ldapadd_.26_ldapmodify|"hard" way]] | [[Luma]] does not provide a convenient way to create new LDAP groups. An add group option exists but it won't allow you to set a gid number above 99. If you want your new user to have a private group as their primary group (or any group that doesn't already exist) you need to create it before creating the user account. The easiest way to add a new group is using the ldapadd command with an ldif file the [[LDAP#Changing_Items_the_.22hard.22_way:_ldapadd_.26_ldapmodify|"hard" way]] | ||
| Line 58: | Line 64: | ||
getent group | awk -F':' '{print $3}' | sort -n | getent group | awk -F':' '{print $3}' | sort -n | ||
| − | Ignore the highest gid number (something like 4294967294). This is a system group used by NFS. Go with the one right before that. | + | Ignore the highest gid number (something like 4294967294). This is a system group used by NFS. Go with the one right before that, or if there is some gap in GID numbers (for example the list skips from 4039 to 4050), you can use one of those numbers to fill in those gaps. |
| + | |||
| + | =Creating Mac Accounts= | ||
| + | |||
| + | The [[Workgroup Manager]] on [[okra]] is used to add new user accounts on the Mac systems. | ||
Revision as of 15:41, 24 May 2011
There are two separate NPG user databases to which you may wish to add a user. Unix accounts for the servers and Linux workstations are provided by LDAP on Einstein. User accounts for Mac workstations are maintained by the Open Directory (Mac LDAP) service on okra.
When creating a new account you need to first decide if it will be Linux only or if the user needs to be able to use the Mac workstations. If you're making a Mac account make sure to create a matching Linux/Unix account with the same username and uid to give the user access to servers and e-mail.
Creating Linux Accounts
There are several ways to add a new user to an OpenLDAP database. There are both GUI and console based methods (which are detailed below). Make sure when creating a new Linux accounts that home folders and mail folders for each user are stored on Gourd in /home and /mail respectively, and that you need to create these folders manually and assign the correct permissions before users will be able to access their accounts.
GUI Applications
There are a couple of graphical applications for managing LDAP databases.
- Luma is a QT-based LDAP management application for Linux written in python. It should be available on all NPG workstations. Instructions for user management with Luma are here.
- Jxplorer is a java based graphical application for browsing and managing LDAP databases.
Adding users from the console
It appears that the the utilities /usr/sbin/luseradd, /usr/sbin/luserdel, and /usr/sbin/lusermod are intended to allow administrators to add, delete, and modify users from the command line. Unfortunately they don't seem to work in our LDAP environment. There is alternative method to add or modify LDAP entries using the ldapadd and ldapmodify commands, but it's a bit more complex. Here's a quick overview:
In order to add or modify entries this way you'll first need an LDIF file. You can export an existing entry in the LDAP directory using the Luma browser plugin, or via the ldapsearch command. Here's the command you need to export an existing entry to an ldif file:
ldapsearch -x -L 'uid=user' > user.ldif
Here is a sample LDIF file for a user account:
dn: uid=fry,ou=People,dc=physics,dc=unh,dc=edu uid: fry objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person loginShell: /bin/bash uidNumber: 6000 gidNumber: 6000 gecos: Phillip J. Fry sn: fry homeDirectory: /net/home/fry mail: PhillipJFry@planetexpress.com cn: Philip J. Fry
You can use the following command to add the contents of this ldif file to the LDAP database. If you're logged into Einstein as root run this command:
ldapadd -x -W -D "cn=root,dc=physics,dc=unh,dc=edu" -v -f user.ldif
NOTE: If you're running the command via sudo you need to explicitly set the home environment to root. This should do the trick:
env HOME=/root ldapadd -x -W -D "cn=root,dc=physics,dc=unh,dc=edu" -v -f user.ldif
Adding Groups
Luma does not provide a convenient way to create new LDAP groups. An add group option exists but it won't allow you to set a gid number above 99. If you want your new user to have a private group as their primary group (or any group that doesn't already exist) you need to create it before creating the user account. The easiest way to add a new group is using the ldapadd command with an ldif file the "hard" way
Here's a sample LDIF file that should get you a basic group:
dn: cn=newgroup,ou=Group,dc=physics,dc=unh,dc=edu cn: newgroup gidNumber: 6000 objectClass: posixGroup
Just change the name "newgroup" to your new group's name, and set the gidNumber to something reasonable like one above the highest currently used gid number. To quickly find out the highest gid currently in use login to Einstein and execute this command:
getent group | awk -F':' '{print $3}' | sort -n
Ignore the highest gid number (something like 4294967294). This is a system group used by NFS. Go with the one right before that, or if there is some gap in GID numbers (for example the list skips from 4039 to 4050), you can use one of those numbers to fill in those gaps.
Creating Mac Accounts
The Workgroup Manager on okra is used to add new user accounts on the Mac systems.
