Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity
Files
cdcc025dbd4c2f4288505ffec4e2bfcffe7cc9af
gitea-pages/admin-guide/configuration/access/eaccounts.md
T
ebner 022c1c213c improve description
2025-01-31 14:40:10 +01:00

85 lines
2.2 KiB
Markdown
Raw Blame History

# Eaccounts (Experiment Account)
The eaccounts are managed via the Digital User Office (DUO) and used for single experiments at the beamlines.
Eaccounts reside in the AD in the subtree `OU=users,OU=experiment,OU=it,DC=d,DC=psi,DC=ch` whereas normal accounts are found below `OU=Users,OU=PSI,DC=d,DC=psi,DC=ch`
Normally eaccounts start with `e` followed by their uid. Some eaccounts where used not only for single experiments, more like GAC accounts, and have thus been renamed:
```
gac-alvra
gac-cristall
gac-bernina
gac-femto
gac-furka
gac-maloja
gac-slab
gac-x01dc
gac-x02da
gac-x03da
gac-x03ma
gac-x04db
gac-x04sa
gac-x05da
gac-x05la
gac-x06da
gac-x06sa
gac-x07da
gac-x07db
gac-x07ma
gac-x07mb
gac-x09la
gac-x09lb
gac-x10da
gac-x10sa
gac-x11ma
gac-x12sa
gac-x12saop
gac-x96sa
```
An eaccount is usually exactly bound to one beamline/endstations and is part of the beamlines/endstations group BEAMLINE (e.g. X06DA)
## Allow Eaccounts
```
aaa::allow_experiment_accounts: true
```
in Hiera enables eaccounts on a system, default is `false`.
## Eaccounts and `override_homedir`
By default the `override_homedir` setting (in Hiera `aaa::override_homedir` ore `base::local_homes`) is ignored for eaccounts.
The way this has been solved causes problems with group member lookups with eaccounts enabled.
Without eaccounts only normal users are found as part of the group (which is correct):
```
[root@lxdev04 ~]# getent group SARESA
SARESA:*:35184:babic_a,ebner,kapeller,...,huppert_m,carulla_m,schoel_m
[root@lxdev04 ~]#
```
but with eaccounts enabled only the eaccount members are listed:
```
[root@lxdev01 ~]# getent group SARESA
SARESA:*:35184:e21996,e21997,e21992,...,e17806,e17589,gac-alvra
[root@lxdev01 ~]#
```
If for a system this is a problem, and at the same time there is no need for ignoring `override_homedir`, you may enable the eaccounts with
```
aaa::allow_experiment_accounts: true
aaa::enable_eaccounts::ignore_override_homedir: false
```
then you get both type of members:
```
[root@lxdev07 ~]# getent group SARESA
SARESA:*:35184:e21996,...,e17589,ext-kapetanaki_s,...,ext-tyrala_k
[root@lxdev07 ~]#
```
There is a [open case](https://access.redhat.com/support/cases/#/case/03912615) at RedHat on how to deal best with this problem.
View Git Blame Copy Permalink