|Linux System Administration|
Kladmin: magic trio user administration tool
Kladmin is a user account administration tool for distributed file systems based on MIT Kerberos V, OpenLDAP and OpenAFS, otherwise known as the magic trio. This system has many advantages, such as huge scalability, but user administration does not immediately come to mind, since every new account requires that one be created with the same name and ID number in each of the three subsystems. Luckily, all of this runs on Linux, an environment in which it is easy to develop tools to address these kinds of problems.
Written in Perl, kladmin is a front-end for a number of standard utilities. It is not a replacement for them, but it does allows system administrators to save time with typical user account administration. It can be used to create and delete accounts individually, request information about them, as well as accept an input file to quickly create many new accounts from a list of names. In all of these cases the program can be instructed to create or delete accounts from all three subsystems, which is does by default. Or, it can be used to create or delete accounts from just one or two of the subsystems. Another useful feature is its ability to generate various lists of account names and ID numbers so that each one can be checked across all three subsystems.
The design is such that, when creating a normal account, the same number is used for the UID and GID in LDAP as for the ID in AFS. Similarly, if an account name and UID/GID number already exists in LDAP, but not in AFS, and kladmin is used to create an account with the same name in AFS, the same number will be used for AFS account's ID. The same thing happens when an AFS account already exists and a matching LDAP account is created.
To prevent many predictable error conditions, kladmin checks if it has the required access to the different subsystems before running any operations. It does this automatically for Kerberos, AFS and the GNU/Linux OS, but needs a configuration option to be set before LDAP administrative access can be ascertained. The required configuration file contains information such as key LDAP entries, AFS servers and partition names.
This application operates according to a popular convention regarding the AFS directory structure used for the mount points of user volumes. For instance, for a user account, gwashington, in an AFS cell, called example.com, it is assumed that the directory path will be:
By modifying its configuration file, kladmin can also be set to operate without support for OpenAFS and/or OpenLDAP. However, Kerberos is always required, as is Kerberos authentication for OpenLDAP when the latter is used.
Kladmin was developed on a Debian 5.0 (lenny) system. It should work on many others, although in some cases the script itself will have to be modified to reflect the different locations of a few configuration files (included in the Declarations section near the beginning of the script).
kladmin [-A | -D] -u <user_name> kladmin [-A | -D] [-k] [-l] [-a] -u <user_name> [-p <password>] [-i <id_number>] [-G <given_name>] [-S <surname>] kladmin [-k] [-l] [-a] -f <file_name> kladmin -I [-k] [-l] [-a] -u <user_name> kladmin -L <code> kladmin -v
3. Input file format
The supported input file format is relatively simple, consisting of three fields: an account name, a given name and a surname. Account names may not contain any spaces, dashes ('-') or forward slashes ('/'). Given names may contain dashes and spaces, but the latter are only accepted if the name is enclosed between double quote marks ('"'). Surnames may also contain dashes and spaces, but never require double quote marks. Each of these three names must be separated from the others with one or more spaces.
Normally, new accounts are created as follows:
~# kladmin -Au bbeamon -p longjump -i 10005 -G Bob -S Beamon
If pressed for time, the same account can also be created with less input, in which case a password will be generated automatically:
~# kladmin -Au bbeamon
But, it is also possible to create an account name only in certain subsystems, e.g. Kerberos and AFS:
~# kladmin -Akau bbeamon
An entire account may be deleted at once:
~# kladmin -Du bbeamon
Or, only one of its components may be deleted, e.g. the LDAP account:
~# kladmin -Dlu bbeamon
New accounts can also be created from a list in an input file:
~# kladmin -f input-file
Partial accounts may also be created from a list in an input file, such as only for Kerberos and AFS:
~# kladmin -kaf input-file
Example of a list of names in an input file, each with a valid format:
bobama Barack Obama dvvliet Don Van Vliet ahroliveira "Antonio Henrique" de Oliveira Marques pjwitzig Pieter-Jan Witzig rbourne Robin Bourne-Taylor
A five-column overview, based on a list of all LDAP posixAccount entry names can be generated with:
~# kladmin -L lan
5. Configuration file
A configuration file, /etc/kladmin.conf, must be created. A number of variables must be configured, while others have default values. What follows is a complete list of variables for v0.2 of the configuration file, any which may be altered as needed:
# # kladmin v0.2.1 configuration file # # /etc/kladmin.conf # # While kladmin requires MIT Kerberos V to work, support for # OpenLDAP and/or OpenAFS can be disabled. The default is "enabled" # for both of them, but this can be changed to "disabled" if one or # both are not in use. #OPENLDAP enabled #OPENAFS enabled # Arguments used for the apg tool. The default is # -a0 -m8 -Mncl. Option -n1 is always used. # #APGARGS -a0 -m8 -Mncl # Attributes to give Kerberos user accounts The default is # -clearpolicy +requires_preauth. # #KRBOPT -clearpolicy +requires_preauth # Minimum UID/GID number to use for LDAP and AFS accounts. The # default is 10000. # #IDMIN 10000 # Maximum UID/GID number to use for LDAP and AFS accounts. The # default is 65535. # #IDMAX 65535 # DN, or partial DN, required for LDAP administrative access. # LDPADMIN cn=admin,dc=example,dc=com # LDAP organizational unit for user entries. # LDAPUPTH ou=people,dc=example,dc=com # LDAP organizational unit for group entries. # LDAPGPTH ou=groups,dc=example,dc=com # Structural object class type for LDAP UID entry. The default is # person, but other possibilities include organizationalPerson and # inetOrgPerson. # #OBJCL Person # AFS partition. The default is /vicepa. # #AFSPRT /vicepa # AFS server for read-write volumes. # AFSSRV klas1 # AFS servers for read-only volumes. Supports multiple # host-name/partition-name combinations. No default values. # #AFSSRVRO klas2/vicepa klas3/vicepb klas4/vicepa # AFS user volume quota in KB. The default is "0" (unlimited # volume size). FYI: 1048576 KB = 1 GB. # #AFSQUO 0 # AFS permissions for users in their own user volumes. The default # is all. # #AFSPRM all # Column width of the uname/ID list overviews. The default is 15. # #CW 15
The values indicated above in red must be modified, or else kladmin will not work.
For kladmin to function properly, a number of Debian packages must also be installed on the same system:
apg 2.2.3.dfsg.1-2 Automated Password Generator - Standalone version coreutils 6.10-6 The GNU core utilities krb5-admin-server 1.6.dfsg.4~beta1-5lenny2 MIT Kerberos master server (kadmind) krb5-kdc 1.6.dfsg.4~beta1-5lenny2 MIT Kerberos key server (KDC) krb5-user 1.6.dfsg.4~beta1-5lenny2 Basic programs to authenticate using MIT Kerberos ldap-utils 2.4.11-1+lenny1 OpenLDAP utilities openafs-client 1.4.7.dfsg1-6+lenny2 AFS distributed filesystem client support openafs-dbserver 1.4.7.dfsg1-6+lenny2 AFS distributed filesystem database server
The krb5-admin-server package is required, because kladmin creates Kerberos accounts using the kadmin.local program. Consequently, kladmin can only be run as root on the host running the Kerberos master KDC.
kladmin 0.2.1 − latest version − Download
8. See also
9. Further reading