[[TOC(Software/eAM/*, depth=3)]]
== Delegated Account Management ==
This AM group is enabling remote account management. Users can belong to multiple groups
==== deleteGroup - Delete delegated group ====
{{{
Delete group/project created by external account manager
Group/project name to delete
baseDN
}}}
==== getGroupsAndUsers - Get all delegated users and groups ====
{{{
Show inventory of delegated users and groups/projects
baseDN
}}}
==== changeGroupAdmin - Change the leader of the group ====
{{{
Change the administrator of the group/project
User name of the new admin
Group/project name
baseDN
}}}
==== addUserForm - Show the form for uploading the new user LDIF ====
{{{
Show browser form to upload new user's LDIF
}}}
==== saveForm - process the new user LDIF ====
{{{
Parse uploaded LDIF and create user account
}}}
==== deleteUser - Delete user ====
{{{
Delete user created by external source
User name to delete
baseDN
}}}
==== moveUser - Change users primary group ====
{{{
Change user's project
User name
User's new primary group/project name
baseDN
}}}
==== addUserToGroup - Add user to the secondary group/project ====
{{{
Add user to new secondary group/project
User name
Group/project name
baseDN
}}}
==== deleteGroupUser - Delete user from the secondary group/project ====
{{{
Delete user from the group/project
User name
Group/project name
baseDN
}}}
== Error Messages ==
=== Generic errors ===
1. ERROR 1: UID and OU and DC match
2. ERROR 2: UID and DC match but OU is different
3. ERROR 3: UID matches but DC and OU are different
4. ERROR 4: UID and OU match but DC is different
5. ERROR 5: Uknonw user DN:
6. ERROR 6: Cannot delete user: User is a admin for a group
7. ERROR 7: Unknown group DN:
8. ERROR 8: Group/project not deleted because it contains admin(s):
9. ERROR 9: Cannot move users: different DCs
10. ERROR 10: Missing OU LDIF entry
11. ERROR 11: Missing group name attribute in OU entry
12. ERROR 12: Missing objectClass attribute (organizationalUnit/organizationalRole/organizationalUnit) for:
13. ERROR 17: Missing PI entry
=== Group manipulation errors ===
20. ERROR 20: Group exists
21. ERROR 21: Missing PI mail:
22. ERROR 22: Missing PI ssh public key:
=== User manipulation errors ===
30. ERROR 30: Missing username (UID)
31. ERROR 31: Organization does not exist for this user. Missing organization LDIF entry
32. ERROR 32: Missing user's email address
33. ERROR 33: Missing user's ssh public key:
== GENI Extension Schema for LDAP ==
In order to automate delegated account creation/deletion, the AM uses following LDAP schema extension (in this example stored in file: '''geni.schema'''):
{{{
# octetString SYNTAX
attributetype ( 1.3.6.1.4.1.4203.666.1.90
NAME 'remoteDN'
DESC 'MANDATORY: baseDN from remote'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.4203.666.1.91
NAME 'listOfChildren'
DESC 'MANDATORY: List of children with this account cloned'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
# printableString SYNTAX yes|no
objectclass ( 1.3.6.1.4.1.4203.666.1.100
NAME 'geniAttributes' SUP top AUXILIARY
DESC 'MANDATORY: GENI related attributes'
MAY ( remoteDN $ listOfChildren )
)
}}}
In order for it to be loaded at start-up, this schema needs to be placed in server schema directory (for the latest version of [http://www.openldap.org/ slapd] in /etc/ldap/schema) and the following line has to be added to the LDAP configuration file (typically in /etc/ldap/slapd.conf):
{{{
include /etc/ldap/schema/geni.schema
}}}