Setting up Perun propagation to LDAP
- Filip Stožický
- Jan Pavlíček
All groups of resources with ldap_lsaai service assigned to them will propagate to the LDAP running on a server specified in the resource’s facility’s destination(s). The setup requires preparations on both the Perun and LDAP owner’s side - this manual sums up the Perun setup.
Perun admin (LS AAI Operator) sets entityless attributes for UID and GID ranges in the desired namespace and creates the relevant attribute definitions if missing.
Perun admin (LS AAI Operator) prepares service configuration - creates service objects, and adds required attributes into the service configuration.
The service ldap_lsaai can now be used repetitively for different destinations.
Provisioning specific steps:
Creation of a facility object in Perun UI (LS AAI operator or LDAP owner with correct permissions)
Setting up facility attributes (LS AAI operator or LDAP owner with correct permissions)
urn:perun:facility:attribute-def:def:ldapBaseDN = base DN for all entries. Users will be added to the ou=perun,ou=users,{ldapBaseDn}, groups to the ou=perun,ou=groups,{ldapBaseDn}.
urn:perun:facility:attribute-def:def:uid-namespace = namespace in which assigned users get UID generated in Perun. It takes the available UIDs range from the pre-set range set by the Perun admin. Multiple facilities in Perun can assign UIDs in the same namespace; the generated UIDs should be unique and within the allowed range.
urn:perun:facility:attribute-def:def:login-namespace = namespace of logins to be used as user identifiers.
urn:perun:facility:attribute-def:def:unixGID-namespace = namespace in which assigned groups get GID generated by Perun. It takes the available GIDs range from the pre-set range set by the Perun admin. Multiple facilities in Perun can assign GIDs in the same namespace; the generated GIDs should be unique and within the allowed range.
urn:perun:facility:attribute-def:def:unixGroupName-namespace = namespace for which the group is given its unix group name. The same GID will be generated if some group already has the same UNIX group name.
If set correctly, the GID and UID range attributes will be generated automatically.
Creation of a resource object in Perun (LDAP owner)
===== repeat this part for all groups you want to provision =====
Assigning groups to the resource (LDAP owner, VO / group manager)
Setting group attributes (LDAP owner, VO / group manager):
urn:perun:group:attribute-def:def:unixGroupName-namespace:healthri: the name will be used as the group name in LDAP, and GID will be automatically generated.
===== end of the repeating part =====
Assigning service to a resource = will mark the resource as one of the sources for the LDAP provisioning - all groups assigned to it will be sent to LDAP if the service is enabled. (LDAP owner)
Adding a destination to the facility = specifies the server where the Perun slave script, which fills up the provisioned data into LDAP, is running. The server must allow SSH connection from the Perun server and have both the slave script and the prescript set up. (LDAP owner)
Perun to LDAP attributes mapping
Group-related attributes
LDAP | Perun |
dn
| cn={group:unixGroupName:healthri },ou=perun,ou=groups,{facility:ldapBaseDN} |
cn | group:unixGroupName:healthri |
gidNumber | group:unixGID:healthri |
objectClass | top,posixGroup,groupOfNames |
User-related attributes
LDAP | Perun |
dn | cn={user:login:healthri},ou=perun,ou=users,{facility:ldapBaseDN} |
uid | user:login:healthri |
cn | user:login:healthri |
sn | user:lastName |
uidNumber | user:uid:healthri |
gidNumber | user:uid:healthri |
homeDirectory | /home/{user:login:healthri} |
displayName | user:displayName |
givenName | user:firstName |
user:preferredMail | |
gecos | {user:displayName} <{user:preferredMail}> |
sshKeys | user:sshPublicKey |
objectClass | top,person,inetOrgPerson,posixAccount,ldapPublicKey |
Support: perun@cesnet.cz