Procedure to add members in
the DTeam Virtual Organization (VOs) configured in LDAP by the LCG Deployment
Team
Last update: 2006-01-30
Objective:
To include a member in one of the VOs installed on our LDAP
server, e.g. for the LCG Deployment Team Virtual Organization (VO) and, in
LDAP terms, add cn=Firstname Surname under ou=people of
group
ou=lcg1 belonging to o=dteam,dc=lcg,dc=org
Mandatory prerequisite checking:
Before accepting a candidate user as a member of the VO, it is the
task of the VO manager to perform a series of out-of-bound verification procedures
which should prove the eligibility of the user to become part of the VO as
well as the validity of his/her data. The kind of information that needs checking
is defined in the User
Registration and VO membership Requirements Document. The way to proceed
is:
- The VO manager, as member of the mailing list project-lcg-vo-dteam-admin@cern.ch receives
automatically an email produced at the end of a successful registration as
far as the Usage Rules' acceptance
is concerned.
- As soon as the VO manager receives such a message, he/she has to identify
the user's Institute Representatives (IRs) who will verify the data in the
mail. To do this:
- Check in the GOC
database the existence of the candidate's Institute as
a properly registered site.
- If the site exists and the candidate is
present on the site's page as one of the site contacts with the
same email
address,
we accept
him/her in DTEAM without further verification but we send the explanation
of this acceptance to project-lcg-vo-dteam-admin@cern.ch for
auditing purposes.
- If the site exists but the candidate doesn't appear on the page
we send email to the address of the field Site email .
That is, ideally, a generic mailing list from the candidate's Institute.
If yes, take the address of the relevant site contacts (who
also play the role of IRs in absence of more appropriate lists)
and forward to
them the user membership email request with the following introductory
text:
Dear colleagues,
could you please confirm that [VO-candidate-Name-here] is eligible to
join the DTEAM VO and check the validity of his data.
Thanks and regards
The DTEAM VO management
- If the conclusion is that the candidate user works for an Institute
which is not properly registered, send him/her the following standard
message:
Dear DTEAM VO membership requester,
in order to be a member of this VO you have to be associated with a
registered site and you have to be involved in its operation.
We have currently no information regarding your site. Due to security
policies you are requested to fill a form that you will find in the
appendix of the current installation notes, linked from
http://cern.ch/grid-deployment/cgi-bin/index.cgi?var=gis/how2Start .
Please submit this form, when completed, to your ROC manager
who you can find from http://cern.ch/egee-sa1/ROC-support.htm
Please contact the deployment team: support-lcg-deployment@cern.ch
for further information.
Best regards
The DTEAM VO management
- Once the site registration is properly completed:
- Insert the site contacts to the project-lcg-vo-sites@cern.ch list
Make sure the address is a generic mailing list.This has the
advantage of a single point of
contact for lcg administrators at the user's Institute.
- Check point 2.1. above,
in order to check with the user's IRs his/her eligibility
to join the VO and
the
validity of his/her data.
Steps to follow:
Login with afs account lcgreg, e.g. type: ssh lcgreg@lcg-vo.cern.ch
Open the mail inbox, e.g. type: pine
Save (=Export, if you use "pine") the message with "Subject:LCG
VO account request - GivenName
FamilyName" in file ~/new_member.pem
NB!! Please use the (home) directory and filename given above as
they are used as such by the commands used later on in the procedure.
Exit the mail reader.
Type: cd dteam-vo
Type: prepare-member
Type: add-member
The commands 'prepare-member' and 'add-member' run the perl script
cert2ldif.pl
and the command ldapadd with the right options. More information about
the purpose of these commands can be found in the dteam
set-up document.
You will be prompted to type the LDAP rootpw (as defined in file /etc/openldap/sladp.conf
on lcg-vo.cern.ch).
Open a LDAP browser to accept this new member in the group lcg1.
Proceed as follows:
- Connect to the DTEAM VO. Configuration parameters for this connection:
Host: lcg-vo.cern.ch
Base DN: o=dteam,dc=lcg,dc=org (Select SSL)
User DN: cn=manager,dc=root
The VO update procedure is:
Edit --> Add Attribute --> member. The entry will be the output of the
add-member command. Example:
cn=Maria Dimou,ou=People,o=dteam,dc=lcg,dc=org
Type: notify-member
This is the last step of the procedure. It sends the
requestor and the dteam-admin list
an email confirmation of the successful processing of the request.
Maria Dimou, IT/GD,
Grid Infrastructure Services