| ... | ... | @@ -295,3 +295,76 @@ TODO, things will work, just slower until this is turned on |
|
|
|
### Indexing frames
|
|
|
|
|
|
|
|
TODO
|
|
|
|
|
|
|
|
|
|
|
|
## Authenticated Access ##
|
|
|
|
|
|
|
|
Install the nds-index-utilties packages if you do not have this at this point. (This is needed on the machine doing authentication.
|
|
|
|
|
|
|
|
You will need a kerberos prinicpal for nds2/your_fqdn_here@LIGO.ORG. This can be obtained via robots.ligo.org.
|
|
|
|
|
|
|
|
* Make sure to request a service keytab
|
|
|
|
* Make sure to request for the nds2 service type
|
|
|
|
|
|
|
|
### Create a userfile.tmpl.txt file ###
|
|
|
|
|
|
|
|
Create a template file to expand groups into user lists for access to NDS2.
|
|
|
|
|
|
|
|
On the older systems it would be in /home/nds/nds2-nds2/userfile.tmpl.txt and might contain something like the @ group name @ gets expanded into a list of users:
|
|
|
|
|
|
|
|
<pre>
|
|
|
|
# Grouper groups to allow
|
|
|
|
@Communities:LVC:NDS2:NDS2AuthZ::0
|
|
|
|
|
|
|
|
@Communities:LVC:LIGOLab:LIGOLabGroupMembers::0
|
|
|
|
@Communities:LVC:LSC:LSCGroupMembers::0
|
|
|
|
|
|
|
|
# white list robots, fold this into a grouper group in the near future
|
|
|
|
40m/robot/ldas-pcdev1.ligo.caltech.edu::0
|
|
|
|
ldvw/robot/ldvw.ligo.caltech.edu::0
|
|
|
|
ldvwusr/robot/ldvw.ligo.caltech.edu::0
|
|
|
|
ldvw.ligo.caltech.edu::0
|
|
|
|
ligodv-test-areeda::0
|
|
|
|
tester/robot/ligodv.areeda.com::0
|
|
|
|
NAGIOS_NDS2_client/robot/nds.ligo.caltech.edu::0
|
|
|
|
NAGIOS_NDS2_client/robot/nds.ligo-la.caltech.edu::0
|
|
|
|
NAGIOS_NDS2_client/robot/nds.ligo-wa.caltech.edu::0
|
|
|
|
NAGIOS_NDS2_client/robot/ndso1.ligo-wa.caltech.edu::0
|
|
|
|
LHO_NDS2_proxy/robot/nds.ligo-wa.caltech.edu::0
|
|
|
|
CIT_NDS2_proxy/robot/nds2.ligo.caltech.edu::0
|
|
|
|
LLO_NDS2_proxy/robot/ndso1.ligo-la.caltech.edu::0
|
|
|
|
LHO_outreach_displays/robot/outreach-displays.ligo-wa.caltech.edu::0
|
|
|
|
gecotiming/robot/geco.markalab.org::0
|
|
|
|
CALrobot/robot/ligo.caltech.edu::0
|
|
|
|
detchar/robot/detchar.ligo.caltech.edu::0
|
|
|
|
detchar_cit/robot/detchar.ligo.caltech.edu::0
|
|
|
|
detchar-la/robot/detchar.ligo-la.caltech.edu::0
|
|
|
|
detchar_ligo-wa/robot/detchar.ligo-wa.caltech.edu::0
|
|
|
|
</pre>
|
|
|
|
|
|
|
|
### Configure a ldap updater ###
|
|
|
|
|
|
|
|
The group authorization script needs to contact an ldap server to determine how to expand groups. So it must be configured to know about the ldap server. In the older setup the config would live at /home/nds/nds2-nds2/nds2_ldap.conf. It would look something like this (adjust server settings to refer to your local ldap replica):
|
|
|
|
|
|
|
|
<pre>
|
|
|
|
[ldap]
|
|
|
|
starttls = False
|
|
|
|
ssl = False
|
|
|
|
port = 389
|
|
|
|
server = geppetto.ldas.cit
|
|
|
|
|
|
|
|
[users]
|
|
|
|
attr = krbPrincipalName
|
|
|
|
filter = (&(objectClass=inetOrgPerson)(isMemberOf=%s))
|
|
|
|
base = dc=ligo,dc=org
|
|
|
|
|
|
|
|
[groups]
|
|
|
|
attr = description
|
|
|
|
filter = (objectClass=groupOfNames)
|
|
|
|
base = ou=Communities,ou=grouper,dc=ligo,dc=org
|
|
|
|
</pre>
|
|
|
|
|
|
|
|
|
|
|
|
### Configure nds_group_auth to run in a cron job ###
|
|
|
|
|
|
|
|
Set a cron job to run periodically which will call /usr/bin/nds_group_auth and populate the userfile.txt from the userfile.tmpl.txt |
