LDAP Client Configuration for SCL users and administrators
If you are reading this, you are most likely interested in adding data into the ldap database at the SCL, whether it be equipment, users, or other things. If you are not part of the SCL, some of this information may be helpful to you, but may not necessarily apply to your database situation, as the Scl may run it's server differently then you. Any questions regarding this document can be sent to help@scl.ameslab.gov
Logging in to the Server
first you need to log in to the server with a graphical client (you don't necessarily NEED a gui, but it makes life simpler for small tasks.). Using a console (or X11 console if you are running Mac OS X, email help if you need to get this), type the following:
ssh -X gatekeeper
If gatekeeper asks you for a password, please type it in. What you do from here depends on what you need to edit in the database. Unless you are simply modifying your shell, you'll need kerberos admin tickets.
kinit $USER/admin
If you do not have the ability to get tickets from this, than you do not have admin principals, which means that you should not be able to modify the ldap database (excluding your command shell at login). Please write to help to fix this, otherwise if you can get tickets from this command, open gq, the graphical ldap modification utility.
gq
Once you are here, you will have to change your settings (if you have not
done so in a previous session), then continue on to modifying the
database.
Setting up GQ
Once you are in GQ, you will have to change what server you are looking at, and set the authentication to this server. To do this, click file -> preferences, then a new window should pop up. Click the servers tab, and click the new button, which will then open up a new server menu.
Fill in the values under general as you see above. These values will set what server you're looking at, the base dn (the base of all your searches under this server), and also specify the port for accessing the database. These values should never be changed. After this has been done, click the details tab, and set the bind type to sasl.
If this is not set to sasl, you will not be able to modify entries
in the database, so it's always a good idea to leave binding set to
sasl. Once these settings are made, you are now ready to start
looking for things inside the ldap database, and start modifying
entries.
Using GQ to Search & Modify
Now that we have a working configuration, close the program and re-open it to find your new server is there and ready to go. So let's make our first task using GQ to modify your default shell when you log in to the SCL. To do this, we need to first find your entry. There are two different way to go about this. You can either look at the entire database under the browse tab, expand the database to hal -> dc=scl,sc=ameslab,dc=gov -> ou=people -> uid=(your username here) and then open it up and change the shell. An easier way of finding yourself within the database is to simply use the searching tool built in to GQ, and find it that way. In the main window, click the box that says “search,” and change it to “filter.” Then click in the box and type in the name that you are looking for. Once you do this, select the entry that appears, and simply modify the corresponding entry in the new window that appears.
As you can see from this entry, Dan Ketcham's loginShell variable is set to /bin/bash. If we were to change this to /bin/tcsh, he would normally log in with tcsh as his shell instead of bash. Feel free to edit this line, but do not put in an incorrect value, as you will find it very hard to log in to the network without a correct shell. At this point, modifying your shell is the only non-administrative change a normal user can make to the ldap database, and this will most likely change in the future. If you are not an administrator, and you need something added, changed, or deleted, please either talk to your supervisor, or send an email to help@scl.ameslab.gov and we will assist you.
Have questions? Email Dan at dank@scl.ameslab.gov , and he will try to help you with this document.