forked from Controls/gitea-pages
document eaccounts
This commit is contained in:
@@ -69,6 +69,7 @@ chapters:
|
||||
- file: admin-guide/configuration/xrdp
|
||||
- file: admin-guide/configuration/puppet_agent
|
||||
- file: admin-guide/configuration/sudo
|
||||
- file: admin-guide/configuration/eaccounts
|
||||
- file: admin-guide/configuration/ntp_client
|
||||
- file: admin-guide/configuration/keyboard_layout
|
||||
- file: admin-guide/configuration/autologin
|
||||
|
||||
@@ -0,0 +1,81 @@
|
||||
# Eaccounts (Experiment Account)
|
||||
|
||||
The eaccounts are managed via the Digital User Office (DUO) and used for single experiments at the beamlines.
|
||||
|
||||
Eaccounts reside in the AD in the subtree `OU=users,OU=experiment,OU=it,DC=d,DC=psi,DC=ch` whereas normal accounts are found below `OU=Users,OU=PSI,DC=d,DC=psi,DC=ch`
|
||||
|
||||
Normally eaccounts start with `e` followed by their uid. Some eaccounts where used not only for single experiments, more like GAC accounts, and have thus been renamed:
|
||||
```
|
||||
gac-alvra
|
||||
gac-cristall
|
||||
gac-bernina
|
||||
gac-femto
|
||||
gac-furka
|
||||
gac-maloja
|
||||
gac-slab
|
||||
gac-x01dc
|
||||
gac-x02da
|
||||
gac-x03da
|
||||
gac-x03ma
|
||||
gac-x04db
|
||||
gac-x04sa
|
||||
gac-x05da
|
||||
gac-x05la
|
||||
gac-x06da
|
||||
gac-x06sa
|
||||
gac-x07da
|
||||
gac-x07db
|
||||
gac-x07ma
|
||||
gac-x07mb
|
||||
gac-x09la
|
||||
gac-x09lb
|
||||
gac-x10da
|
||||
gac-x10sa
|
||||
gac-x11ma
|
||||
gac-x12sa
|
||||
gac-x12saop
|
||||
gac-x96sa
|
||||
```
|
||||
|
||||
## Allow Eaccounts
|
||||
|
||||
```
|
||||
aaa::enable_eaccounts: true
|
||||
```
|
||||
|
||||
in Hiera enables eaccounts on a system, default is `false`.
|
||||
|
||||
## Eaccounts and `override_homedir`
|
||||
|
||||
By default the `override_homedir` setting (in Hiera `aaa::override_homedir` ore `base::local_homes`) is ignored for eaccounts.
|
||||
The way this has been solved causes problems with group member lookups with eaccounts enabled.
|
||||
|
||||
Without eaccounts only normal users are found as part of the group (which is correct):
|
||||
```
|
||||
[root@lxdev04 ~]# getent group p21996
|
||||
p21996:*:21996:dorigo_a,cirelli_c
|
||||
[root@lxdev04 ~]#
|
||||
```
|
||||
|
||||
but with eaccounts enabled only the eaccount members are listed:
|
||||
```
|
||||
[root@lxdev01 ~]# getent group p21996
|
||||
p21996:*:21996:e21996
|
||||
[root@lxdev01 ~]#
|
||||
```
|
||||
|
||||
If for a system this is a problem, and at the same time there is no need for ignoring `override_homedir`, you may enable the eaccounts with
|
||||
|
||||
```
|
||||
aaa::enable_eaccounts: true
|
||||
aaa::enable_eaccounts::ignore_override_homedir: false
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
There is a [open case](https://access.redhat.com/support/cases/#/case/03912615) at RedHat on how to deal best with this problem.
|
||||
|
||||
Reference in New Issue
Block a user