[SAC] ldap_shell.py - web updates for shell access list
Frank Warmerdam
warmerdam at pobox.com
Tue Mar 31 02:57:01 EDT 2009
Folks,
After some consultation with Martin, I have figured out more about
how the LDAP access works now for the telascience blades. I have written
a web interface that provides access to update the list of OSGeo userids
allowed to login to the telascience blades. It is at:
https://www.osgeo.org/cgi-bin/auth/ldap_shell.py
It is similar to the subversion group editor, but it also adds the
required posixAccount and shadowAccount attributes to the userid in the
Person list if it is currently lacking. It assigns a next "uidNumber", the
unix uid, from the Description field of the ou=Shell parent object and
increments the number in that field. I had it start at 15000 since the
local accounts seemed to be in the 14000's and the previous LDAP accounts
in the 10000s.
Note that sudo access on blades will still need to be managed locally, but
otherwise it is possible to give reasonably trusted folks access to all the
blades by adding them to this group.
It should be relatively easy to add other similarly managed groups in the
future if we decide we would like to segregate things into per-server
groups or some similar breakdown.
I have minimally updated http://wiki.osgeo.org/wiki/SAC:LDAP with
information on the current configuration.
More documentation in appropriate places might be helpful.
Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Programmer for Rent
More information about the Sac
mailing list