Account Creator

From UGCS
Revision as of 07:10, 13 December 2008 by Jdhutchin@ugcs.caltech.edu (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This page describes both sides of the account creator (user interface and administrator part)

Login for newacct@to

The login shell for newacct is set to /afs/ugcs/public/newacct/account_creator.py. This is a python script that sequentially runs each of the scripts in /afs/ugcs/public/newacct/create_account. It also has some helper libraries in /afs/ugcs/public/newacct. Remember, this is on a read-only AFS branch- after you make changes, be sure to "vos release public"

The scripts take care of each step of the account creation process. They collect the basic information, verify that the account name isn't taken, etc. Then, it uses the password that the user entered to initialize a disabled kerberos token. Because we want to make sure that this isn't used maliciously, the actual creation is done through a remctl script on dionysus. This script also forces the kerberos token to be disabled, so it can't be used until a sysadmin unlocks it.

After all is done, emails are sent to sysadmins@ugcs and to the user's contact address. A python pickle of the user data is put in /afs/.ugcs/newacct-drop where it can be retrieved by a sysadmin to create the account.

There is a "development" version in /afs/.ugcs/ugcs-admin/create_account. Please double-check that the account creator works after you copy stuff into the live version.

Admin part

The rest of the account creation process is done by another set of python scripts, this time in /afs/.ugcs/ugcs-admin/newuser They take care of doing everything except creating the kerberos token. It creates the ldap user and group, unlocks the kerberos token (this requires a /admin password), creates and initializes the home directory, and sets up the postgres database.

The script /afs/.ugcs/ugcs-admin/create-pending-account.py is the frontend to these scripts. Run without arguments, it prints the list of pending users. If you give it -a, it will prompt you to create all pending users. Otherwise, it will try to create the named user. It also tries to do some rudimentary locking- sometimes this may break and you'll have to manually remove a lockfile.

Retrieved from "http://www.ugcs.caltech.edu/wiki/Account_Creator"
Personal tools