Procedure to add members in
the DTeam Virtual Organization (VOs) configured in LDAP by the LCG Deployment Team

Last update: 2006-01-30

Objective:
To include a member in one of the VOs installed on our LDAP server, e.g. for the LCG Deployment Team Virtual Organization (VO) and, in LDAP terms, add cn=Firstname Surname under ou=people of group ou=lcg1 belonging to o=dteam,dc=lcg,dc=org

Mandatory prerequisite checking:
Before accepting a candidate user as a member of the VO, it is the task of the VO manager to perform a series of out-of-bound verification procedures which should prove the eligibility of the user to become part of the VO as well as the validity of his/her data. The kind of information that needs checking is defined in the User Registration and VO membership Requirements Document. The way to proceed is:

  1. The VO manager, as member of the mailing list project-lcg-vo-dteam-admin@cern.ch receives automatically an email produced at the end of a successful registration as far as the Usage Rules' acceptance is concerned.
  2. As soon as the VO manager receives such a message, he/she has to identify the user's Institute Representatives (IRs) who will verify the data in the mail. To do this:
    1. Check in the GOC database the existence of the candidate's Institute as a properly registered site.
      1. If the site exists and the candidate is present on the site's page as one of the site contacts with the same email address, we accept him/her in DTEAM without further verification but we send the explanation of this acceptance to project-lcg-vo-dteam-admin@cern.ch for auditing purposes.
      2. If the site exists but the candidate doesn't appear on the page we send email to the address of the field Site email . That is, ideally, a generic mailing list from the candidate's Institute. If yes, take the address of the relevant site contacts (who also play the role of IRs in absence of more appropriate lists) and forward to them the user membership email request with the following introductory text:
        Dear colleagues,
        could you please confirm that [VO-candidate-Name-here] is eligible to join the DTEAM VO and check the validity of his data.
        Thanks and regards
        The DTEAM VO management
    2. If the conclusion is that the candidate user works for an Institute which is not properly registered, send him/her the following standard message:
      Dear DTEAM VO membership requester,
      in order to be a member of this VO you have to be associated with a
      registered site and you have to be involved in its operation.
      We have currently no information regarding your site. Due to security
      policies you are requested to fill a form that you will find in the
      appendix of the current installation notes, linked from
      http://cern.ch/grid-deployment/cgi-bin/index.cgi?var=gis/how2Start .
      Please submit this form, when completed, to your ROC manager
      who you can find from http://cern.ch/egee-sa1/ROC-support.htm
      Please contact the deployment team: support-lcg-deployment@cern.ch
      for further information.
      Best regards
      The DTEAM VO management
    3. Once the site registration is properly completed:
      1. Insert the site contacts to the project-lcg-vo-sites@cern.ch list Make sure the address is a generic mailing list.This has the advantage of a single point of contact for lcg administrators at the user's Institute.
      2. Check point 2.1. above, in order to check with the user's IRs his/her eligibility to join the VO and the validity of his/her data.

Steps to follow:

Login with afs account lcgreg, e.g. type: ssh lcgreg@lcg-vo.cern.ch
Open the mail inbox, e.g. type: pine
Save (=Export, if you use "pine") the message with "Subject:LCG VO account request - GivenName FamilyName" in file ~/new_member.pem
NB!! Please use the (home) directory and filename given above as they are used as such by the commands used later on in the procedure.
Exit the mail reader.

Type: cd dteam-vo

Type: prepare-member

Type: add-member

The commands 'prepare-member' and 'add-member' run the perl script cert2ldif.pl and the command ldapadd with the right options. More information about the purpose of these commands can be found in the dteam set-up document.
You will be prompted to type the LDAP rootpw (as defined in file /etc/openldap/sladp.conf on lcg-vo.cern.ch).

Open a LDAP browser to accept this new member in the group lcg1. Proceed as follows:

  1. Connect to the DTEAM VO. Configuration parameters for this connection:
    Host: lcg-vo.cern.ch
    Base DN: o=dteam,dc=lcg,dc=org (Select SSL)
    User DN: cn=manager,dc=root
    The VO update procedure is:
    Edit --> Add Attribute --> member. The entry will be the output of the add-member command. Example:
    cn=Maria Dimou,ou=People,o=dteam,dc=lcg,dc=org

Type: notify-member

This is the last step of the procedure. It sends the requestor and the dteam-admin list an email confirmation of the successful processing of the request.

Maria Dimou, IT/GD, Grid Infrastructure Services