[[TOC(Software/eAM/*, depth=3)]] == Delegated Account Management == This AM group is enabling remote account management. Users can belong to multiple groups === deleteGroup - Delete delegated group === {{{ Delete group/project created by external account manager Group/project name to delete baseDN }}} === getGroupsAndUsers - Get all delegated users and groups === {{{ Show inventory of delegated users and groups/projects baseDN }}} === changeGroupAdmin - Change the leader of the group === {{{ Change the administrator of the group/project User name of the new admin Group/project name baseDN }}} === addUserForm - Show the form for uploading the new user LDIF === {{{ Show browser form to upload new user's LDIF }}} === saveForm - process the new user LDIF === {{{ Parse uploaded LDIF and create user account }}} === deleteUser - Delete user === {{{ Delete user created by external source User name to delete baseDN }}} === moveUser - Change users primary group === {{{ Change user's project User name User's new primary group/project name baseDN }}} === addUserToGroup - Add user to the secondary group/project === {{{ Add user to new secondary group/project User name Group/project name baseDN }}} === deleteGroupUser - Delete user from the secondary group/project === {{{ Delete user from the group/project User name Group/project name baseDN }}} === Error Messages === ==== Generic errors ==== 1. ERROR 1: UID and OU and DC match 2. ERROR 2: UID and DC match but OU is different 3. ERROR 3: UID matches but DC and OU are different 4. ERROR 4: UID and OU match but DC is different 5. ERROR 5: Unknown username: 6. ERROR 6: Cannot delete user: User is a admin for a group 7. ERROR 7: Unknown group name: 8. ERROR 8: Group/project not deleted because it contains admin(s): 9. ERROR 9: Cannot move users: different DCs 10. ERROR 10: Missing OU LDIF entry 11. ERROR 11: Missing group name attribute in OU entry 12. ERROR 12: Missing objectClass attribute (organizationalUnit/organizationalRole/organizationalUnit) for: 13. ERROR 17: Missing PI entry ==== Group manipulation errors ==== 20. ERROR 20: Group exists 21. ERROR 21: Missing PI mail: 22. ERROR 22: Missing PI ssh public key: ==== User manipulation errors ==== 30. ERROR 30: Missing username (UID) 31. ERROR 31: Organization does not exist for this user. Missing organization LDIF entry 32. ERROR 32: Missing user's email address 33. ERROR 33: Missing user's ssh public key: === GENI Extension Schema for LDAP === In order to automate delegated account creation/deletion, the AM uses following LDAP schema extension (in this example stored in a file named '''geni.schema'''): {{{ # octetString SYNTAX attributetype ( 1.3.6.1.4.1.4203.666.1.90 NAME 'remoteDN' DESC 'MANDATORY: baseDN from remote' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) attributetype ( 1.3.6.1.4.1.4203.666.1.91 NAME 'listOfChildren' DESC 'MANDATORY: List of children with this account cloned' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) # printableString SYNTAX yes|no objectclass ( 1.3.6.1.4.1.4203.666.1.100 NAME 'geniAttributes' SUP top AUXILIARY DESC 'MANDATORY: GENI related attributes' MAY ( remoteDN $ listOfChildren ) ) }}} In order for it to be loaded at start-up, this schema needs to be placed in server schema directory (for the latest version of [http://www.openldap.org/ slapd] in /etc/ldap/schema) and the following line has to be added to the LDAP configuration file (typically in /etc/ldap/slapd.conf): {{{ include /etc/ldap/schema/geni.schema }}}