2.1 KiB
Eaccounts (Experiment Account)
The eaccounts are managed via the Digital User Office (DUO) and used for single experiments at the beamlines.
Eaccounts reside in the AD in the subtree OU=users,OU=experiment,OU=it,DC=d,DC=psi,DC=ch whereas normal accounts are found below OU=Users,OU=PSI,DC=d,DC=psi,DC=ch
Normally eaccounts start with e followed by their uid. Some eaccounts where used not only for single experiments, more like GAC accounts, and have thus been renamed:
gac-alvra
gac-cristall
gac-bernina
gac-femto
gac-furka
gac-maloja
gac-slab
gac-x01dc
gac-x02da
gac-x03da
gac-x03ma
gac-x04db
gac-x04sa
gac-x05da
gac-x05la
gac-x06da
gac-x06sa
gac-x07da
gac-x07db
gac-x07ma
gac-x07mb
gac-x09la
gac-x09lb
gac-x10da
gac-x10sa
gac-x11ma
gac-x12sa
gac-x12saop
gac-x96sa
Allow Eaccounts
aaa::enable_eaccounts: true
in Hiera enables eaccounts on a system, default is false.
Eaccounts and override_homedir
By default the override_homedir setting (in Hiera aaa::override_homedir ore base::local_homes) is ignored for eaccounts.
The way this has been solved causes problems with group member lookups with eaccounts enabled.
Without eaccounts only normal users are found as part of the group (which is correct):
[root@lxdev04 ~]# getent group SARESA
SARESA:*:35184:babic_a,ebner,kapeller,...,huppert_m,carulla_m,schoel_m
[root@lxdev04 ~]#
but with eaccounts enabled only the eaccount members are listed:
[root@lxdev01 ~]# getent group SARESA
SARESA:*:35184:e21996,e21997,e21992,...,e17806,e17589,gac-alvra
[root@lxdev01 ~]#
If for a system this is a problem, and at the same time there is no need for ignoring override_homedir, you may enable the eaccounts with
aaa::enable_eaccounts: true
aaa::enable_eaccounts::ignore_override_homedir: false
then you get both type of members:
[root@lxdev07 ~]# getent group SARESA
SARESA:*:35184:e21996,...,e17589,ext-kapetanaki_s,...,ext-tyrala_k
[root@lxdev07 ~]#
There is a open case at RedHat on how to deal best with this problem.