wiki:Software/eAM/oFedAcc

Delegated Account Management

This AM group is enabling remote account management. Users can belong to multiple groups

deleteGroup - Delete delegated group

<service name="deleteGroup">
  <info>Delete group/project created by external account manager</info>
  <args>
    <arg isRequired="true" name="groupname" value="groupname">
      <info>Group/project name to delete</info>
    </arg>
     <arg isRequired="false" name="baseDN" value="[baseDN]">
      <info>baseDN</info>
    </arg>
 </args>
</service>

getGroupsAndUsers - Get all delegated users and groups

<service name="getGroupsAndUsers">
  <info>Show inventory of delegated users and groups/projects</info>
  <args>
    <arg isRequired="false" name="baseDN" value="[baseDN]">
      <info>baseDN</info>
    </arg>
  </args>
</service>

changeGroupAdmin - Change the leader of the group

<service name="changeGroupAdmin">
  <info>Change the administrator of the group/project</info>
  <args>
     <arg isRequired="true" name="username" value="username">
       <info>User name of the new admin</info>
     </arg>
     <arg isRequired="true" name="groupname" value="groupname">
       <info>Group/project name</info>
     </arg>
    <arg isRequired="false" name="baseDN" value="[baseDN]">
      <info>baseDN</info>
    </arg>
  </args>
</service>

addUserForm - Show the form for uploading the new user LDIF

<service name="addUserForm">
  <info>Show browser form to upload new user's LDIF</info>
</service>

saveForm - process the new user LDIF

<service name="saveUser">
  <info>Parse uploaded LDIF and create user account</info>
</service>

deleteUser - Delete user

<service name="deleteUser">
  <info>Delete user created by external source</info>
  <args>
    <arg isRequired="true" name="username" value="username">
      <info>User name to delete</info>
    </arg>
    <arg isRequired="false" name="baseDN" value="[baseDN]">
      <info>baseDN</info>
    </arg>
  </args>
</service>

moveUser - Change users primary group

<service name="moveUser">
  <info>Change user's project</info>
  <args>
    <arg isRequired="true" name="username" value="username">
      <info>User name</info>
    </arg>
    <arg isRequired="true" name="groupname" value="groupname">
      <info>User's new primary group/project name</info>
    </arg>
    <arg isRequired="false" name="baseDN" value="[baseDN]">
      <info>baseDN</info>
    </arg>
  </args>
</service>

addUserToGroup - Add user to the secondary group/project

<service name="addUserToGroup">
  <info>Add user to new secondary group/project</info>
  <args>
    <arg isRequired="true" name="username" value="username">
      <info>User name</info>
    </arg>
    <arg isRequired="true" name="groupname" value="groupname">
      <info>Group/project name</info>
    </arg>
    <arg isRequired="false" name="baseDN" value="[baseDN]">
      <info>baseDN</info>
    </arg>
  </args>
</service>

deleteGroupUser - Delete user from the secondary group/project

<service name="deleteUserFromGroup">
  <info>Delete user from the group/project</info>
  <args>
    <arg isRequired="true" name="username" value="username">
      <info>User name</info>
    </arg>
    <arg isRequired="true" name="groupname" value="groupname">
      <info>Group/project name</info>
    </arg>
    <arg isRequired="false" name="baseDN" value="[baseDN]">
      <info>baseDN</info>
    </arg>
  </args>
</service>

Error Messages

Generic errors

  1. ERROR 1: UID and OU and DC match
  2. ERROR 2: UID and DC match but OU is different
  3. ERROR 3: UID matches but DC and OU are different
  4. ERROR 4: UID and OU match but DC is different
  5. ERROR 5: Unknown username:
  6. ERROR 6: Cannot delete user: User is a admin for a group
  7. ERROR 7: Unknown group name:
  8. ERROR 8: Group/project not deleted because it contains admin(s):
  9. ERROR 9: Cannot move users: different DCs
  10. ERROR 10: Missing OU LDIF entry
  11. ERROR 11: Missing group name attribute in OU entry
  12. ERROR 12: Missing objectClass attribute (organizationalUnit/organizationalRole/organizationalUnit) for:
  13. ERROR 17: Missing PI entry

Group manipulation errors

  1. ERROR 20: Group exists
  2. ERROR 21: Missing PI mail:
  3. ERROR 22: Missing PI ssh public key:

User manipulation errors

  1. ERROR 30: Missing username (UID)
  2. ERROR 31: Organization does not exist for this user. Missing organization LDIF entry
  3. ERROR 32: Missing user's email address
  4. ERROR 33: Missing user's ssh public key:

GENI Extension Schema for LDAP

In order to automate delegated account creation/deletion, the AM uses following LDAP schema extension (in this example stored in a file named geni.schema):

# octetString SYNTAX
attributetype ( 1.3.6.1.4.1.4203.666.1.90 
        NAME 'remoteDN' 
	DESC 'MANDATORY: baseDN from remote' 
	EQUALITY caseIgnoreIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.4203.666.1.91 
        NAME 'listOfChildren' 
	DESC 'MANDATORY: List of children with this account cloned' 
	EQUALITY caseIgnoreIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )


# printableString SYNTAX yes|no
objectclass ( 1.3.6.1.4.1.4203.666.1.100 
        NAME 'geniAttributes' SUP top AUXILIARY
	DESC 'MANDATORY: GENI related attributes'
	MAY ( remoteDN $ listOfChildren ) 
	)

In order for it to be loaded at start-up, this schema needs to be placed in server schema directory (for the latest version of slapd in /etc/ldap/schema) and the following line has to be added to the LDAP configuration file (typically in /etc/ldap/slapd.conf):

include		/etc/ldap/schema/geni.schema

Installation and Configuration

The Delegated Account Management is packaged in the omf-aggmgr-delegatedam-5.4 package. It can be installed form the package repository with

apt-get install omf-aggmgr-delegatedam-5.4

Instructions on how to add the Orbit software repository to your list of apt-sources can be found ​here.

Once installed the service is configured by TODO.

Last modified 23 months ago Last modified on 01/24/16 18:54:36