Luma is a Python & QT based graphical utility for managing data stored in LDAP servers. With it you can manage the LDAP database on Einstein, including adding, editing and deleting user accounts and groups. Luma uses a modular design that consists of several plugins that each provides a different way of working with an LDAP database. The Browser and User Management plugins are the most useful, and this article will focus on their use with respect to the LDAP database on Einstein.
Configuring Luma to work with Einstein
The following settings will enable you to access LDAP on Einstein with administrator privileges. I shouldn't have to tell you that you need to be EXTREMELY CAREFUL when accessing LDAP with these settings.
- Start Luma and choose Settings -> Edit Server List.. (or press Ctrl+E). This should open the Server settings dialogue.
- Click Add... and then enter a name for your connection into the prompt (I just use einstein.unh.edu). The new server should appear in the Server list after you click OK.
- Click the server you just created to expand its options, and then select Network options.
- Enter the following network settings (use the encrypted LDAP port for greater security):
- Hostname: einstein.unh.edu
- Port: 636
- Encryption: SSL (Secure Socket Layer)
- Select Authentication. Uncheck Anonymous bind and enter these authentication settings:
- Mechanism: Simple
- Bind as: cn=root,dc=physics,dc=unh,dc=edu
- DO NOT enter a password here. Luma will store the password in plaintext in your home folder. Just leave it blank so that Luma will prompt you each time you access LDAP.
- Select LDAP Options
- Uncheck "Use Base DNs provided by the server" and then click Edit BaseDN list
- In the Custom: box enter dc=physics,dc=unh,dc=edu and then click Add, and then click OK.
User Management with Luma
Luma allows you to manage user accounts in two ways. You can use the Browser plugin to navigate through the LDAP tree to the entry you want to change and edit it within the browser. The user management plugin allows you to add, edit and delete user accounts. The easiest way to add a new user account is via the User Management plugin. To access user accounts via this plugin follow these instructions:
- Select User management from the main screen.
- Select einstein.unh.edu from the server drop-down.Luma will prompt you for your password. If you used the above setup instructions you will need to use the administrator password for LDAP.
- The box in the bottom left of the window should be populated with a list of existing user accounts. From here you can edit or delete existing accounts as well as add new ones.
- Changes will NOT be saved until you click the save button at the top of the screen. Exiting Luma will abandon your unsaved changes.
Follow these instructions to create a new LDAP user account with Luma:
Click the Add button in the User Management plugin to add a new user account. First you must select the location in the LDAP database to store the new account. The location for user accounts should be ou=People,dc=physics,dc=unh,firstname.lastname@example.org. You can either enter this directly or navigate to it by expanding the LDAP tree structure. After this click Next and you will be presented with the add new user screen.
- "User ID" should be the username for the new account.
- "Common name" should be the person's actual name.
- "Valid until" should be set to some date after the current date otherwise the account won't work. A year from the current date should be fine.
- "Primary Group" for npg users should be npg (gid 5012). To set the user's group memberships click "Manage group memberships". If you want to assign the user to a group does not already exist see the section below about Adding Groups
- Remember that the user's home folder should be set to /net/home/username (make sure you created the folder beforehand).
- Click "Change password..." to set a password for the user. Select crypt from the hash algorithm drop down so that the password isn't stored in plaintext.
- Click Add.. underneath Mail to add an e-mail address. It's a good idea to add a non-npg e-mail address so we have a secondary way to contact users if Einstein is unavailable for some reason.
Once you've filled out the form just click Finish and the new user will be saved to the LDAP database. The account should now be accessible from all NPG machines.
Important: Luma will not create the user's home or mail directories for you. After you add the user to LDAP you need to make sure to create them and assign the correct permissions to them before the user tries to log in. Home and mail folders are located on Gourd in /home and /mail. Use these commands (as root) to create the new folders and to assign the correct permissions:
mkdir /home/newuser /mail/newuser chown newuser:npg /home/newuser chown newuser:mail /mail/newuser