The University of California, San Diego
UCSD

Site Contents

Page Contents

  1. Requirements
  2. Download
  3. Installation
  4. Configuration
  5. Utilities

Usher LDAP Plugin

This plugin provides LDAP authentication for both Usher and clusters created by Usher users. It enables Usher users (cluster creators) to completely manage authentication for their virtual clusters, including user and group administration. It does this by creating a branch in the LDAP database for each cluster an Usher user creates. This branch enables each VM the user creates to authenticate its users through the LDAP database.

This functionality provides a convenient authentication service to virtual cluster creators. First, it allows Usher users to use their Usher credentials as their VM login credentials since they are automatically added as a user in each cluster created. Since each cluster uses a different branch in the LDAP database, aliasing is used to provide Usher users a single set of credentials. In addition, the plugin adds each Usher user to the 'admin' group of each cluster the user creates. VM filesystems can then be configured to grant special privileges to this group (e.g., sudo privileges). This approach is convenient when using a read-only NFS root filesystem where no default root password is set.

The Usher LDAP plugin allows Usher users to create accounts and groups for their clusters without burdening the Usher administrator with this task. This capability is especially conducive to collaborative work, as is common in a research lab setting. An administrator could easily be overwhelmed with management requests in a setting where users are free to create their own clusters, yet are unable to fully manage them. This approach pushes many mundane administrative tasks out to the users who have the incentive to create accounts on their VMs.

An LDAP server configuration file that allows Usher users to only manage branches which they own is included with the Usher LDAP plugin source code. In addition, scripts to modify cluster LDAP entries (i.e., to add, modify, or delete users and groups) are provided for installation on VM filesystems.

Requirements

  • A server running OpenLDAP (>=2.2.10) (Note: this can run anywhere, not just your on your Usher controller)
  • python-ldap (>=2.0.1) installed on your Usher controller node

The Utilities section below contains information about setting up your LDAP database. So, don't worry about being an LDAP expert.

Download

Installation

Download the uldap package onto the machine running your Usher controller and run: 

$ tar xvzf uldap-latest.tgz
$ cd uldap-revXXX

Copy the uldap directory found there to your Usher installations 'plugins' directory or another directory specified by the controller's configuration file 'plugin_dir' variable. (Be sure you copy the directory uldap-revXXX/uldap to the plugins directory, not uldap-revXXX.)

See the Utilities section below for information on setting up the LDAP database.

Configuration

Valid options along with their default values are listed below.

  • server: Name of the LDAP server. Default = None
  • basedn: Base dn to begin search Default = None
  • binddn: DN to bind as. Default = None
  • bindpw: Bind DN password. Default = None
  • usher_group_number: Default group to which all Usher users will be added. This will be their gid number on their VMs. Default = 5000
  • admin_group_number: Admin group visible by all VMs. Useful for giving users sudo privs, etc. Default = 5001

Add these options to a [[uldap]] subsection of the [plugins] section of the controller's configuration file. This plugin should be registered for the following events: cluster_register, client_authenticate, and lnm_authenticate.

Below is a sample [[uldap]] subsection. Start by cutting and pasting this into the [plugins] subsection of your controller's configuration file and editing for your environment. 

########################
[[uldap]]
########################

bsdn = dc=usher,dc=mydomain,dc=net

[[[__allsecs__]]]
server = usher.mydomain.net
basedn = $bsdn
binddn = uid=bind,ou=users,ou=special_accounts,$bsdn
bindpw = secret

[[[cluster_register]]]
# need to be able to write here, so we bind as 'usher'
binddn = uid=usher,ou=users,ou=special_accounts,$bsdn
bindpw = bigsecret

[[[client_authenticate]]]
# client users are under $bsdn

[[[lnm_authenticate]]]
# lnm users are under ou=lnms,$bsdn
basedn = ou=lnms,$bsdn

See the Configuration Files section on the Documentation page for additional details on writing Usher configuration files.

Utilities

The Usher LDAP plugin ships with a few utility scripts and sample configuration files in its /utils directory. Below are brief descriptions of the contents of this directory:

  • admin_scripts: directory containing scripts for Usher user management
  • ldap.conf: an ldap configuration file for use with pam
  • ldap_server.conf: an ldap configuration file for use with common ldap tools (ldapsearch, ldapmodify, etc)
  • slapd.conf: the OpenLDAP server configuration file. This contains the access control rules which allow Usher users to manage users for their clusters (without affecting, or having access to other Usher users' clusters).
  • usher_ldap_init.py: script to initialize your OpenLDAP database for use by this plugin
  • usher.schema: an LDAP schema which defines 'usherAccount' and 'usherGroup' required by this plugin.

An example of installing this plugin and setting up the LDAP database can be found on the Experiences page.

Last Updated: 2007-12-22 by mmcnett
Report problems to: Marvin McNett