Redbrick User management tool
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

219 lines
7.6 KiB

  1. #
  2. # Steps required to use a standalone RRS setup and then sync in changes
  3. # afterwards.
  4. #
  5. # $Id: RRS-SYNC.TXT,v 1.2 2005/10/09 22:55:31 cns Exp $
  6. #
  7. #======================================================================
  8. # BEFORE C&S DAY
  9. #======================================================================
  10. # There are three prompts used in the commands given here
  11. # to indicate which machine they should be used on...
  12. #
  13. [useradm] # The redbrick server that hosts useradm
  14. [rrs] # The standalone server that hosts rrs for c&s day
  15. [ldap-master] # The redbrick server that is the LDAP master
  16. # Some general notes on using slapadd and slapcat:
  17. #
  18. # Purge the ldap database files before doing a slapadd. Always add
  19. # everything in one go with slapadd as this is faster. Always use
  20. # the dry-run (-u) option before adding for real.
  21. #
  22. # slapcat should only be run when slapd is r/o or not running.
  23. # If slapd can't be stopped or made r/o and a copy of the tree is
  24. # needed, use this:
  25. #
  26. # ldapsearch -xLLL -y /etc/ldap.secret -D cn=root,ou=ldap,o=redbrick > rb.ldif
  27. #
  28. # Also, it's best to log your session (e.g. with script) when running the
  29. # various batch commands that produce a lot of output.
  30. # Make master ldap r/o (add "readonly on" to slapd.conf)
  31. # Stop slurpd.
  32. # Take backup of current tree, now that ldap is r/o.
  33. #
  34. [ldap-master] slapcat -l slapcat.pre-newyear
  35. # At the start of each academic year, before c&s day, yearsPaid
  36. # has to be decremented by 1 and newbie set to False for every account.
  37. # This can be done online with LDAP or offline with LDIF. LDIF method
  38. # is given here:
  39. #
  40. [ldap-master] ./newyear_ldif.py < slapcat.pre-newyear > slapcat.pre-rrs
  41. # If using the LDIF method, slapadd slapcat.pre-rrs back again (ldap still r/o)
  42. #
  43. # The mailing out of renewal reminders can be done before or after c&s day.
  44. # If done after, there'll be less mails sent out.
  45. #
  46. [useradm] useradm unpaid_warn
  47. # Take pre_sync backup copy for running sync with the new tree later on.
  48. # This is used to keep a record of current home directories and usertypes
  49. # for all accounts, which is needed for any renamed and/or converted accounts.
  50. #
  51. [useradm] useradm pre_sync
  52. # Copy RRS directory and master slapd setup to the standalone RRS
  53. # computer. Make sure user web server runs as can read and execute the CGIs,
  54. # write to rrs.log and the tracebacks directory (and nothing else). As
  55. # the webserver won't (well, *shouldn't*) have write access to the rrs/
  56. # directory, any changes made to the *.py files won't result in the automatic
  57. # update of the corresponding .pyc file, so it's best to make sure these are
  58. # updated manually: this is only to help speed up execution. Setup a
  59. # .htaccess file to require a password. Enforce SSL only if possible.
  60. # Modify rbconfig.py to point to the localhost LDAP.
  61. # If there is no network connection, the DCU LDAP tree needs to be imported
  62. # into the redbrick one. However, this should be done regardless of network
  63. # connectivity!
  64. #
  65. [rrs] ./make-rb-dcu-tree.sh
  66. # Join rb & dcu trees into one ldif file to add in one go as this will
  67. # speed things up a lot!
  68. #
  69. [rrs] cat slapcat.pre-rrs rb-dcu-tree.ldif > slapcat.pre-rrs-dcu
  70. # Always do a dry run before any major slapadd:
  71. #
  72. [rrs] slapadd -v -u -l slapcat.pre-rrs-dcu
  73. # Adding this for real will take a long time. Although there is a -q
  74. # (quick) option for slapadd, it might be best not to use it.
  75. #
  76. [rrs] slapadd -v -l slapcat.pre-rrs-dcu
  77. # Truncate rrs.log. This should always be empty before starting to use
  78. # rrs for real! Make sure the CGI can still write to it!
  79. #
  80. [rrs] :> rrs.log
  81. # Make sure uidNumber.txt is correct (it should be, if copied across!).
  82. #
  83. [rrs] useradm create_uidNumber
  84. # At this point, rrs should be ready to go.
  85. #
  86. # If you're paranoid, the continous_rrs_backup.sh script will prove useful.
  87. #
  88. #======================================================================
  89. # AFTER C&S DAY
  90. #======================================================================
  91. # After using rrs, i.e. c&s day is finished, shutdown slapd and do a
  92. # slapcat, removing the dcu tree from the output:
  93. #
  94. [rrs] pkill slapd
  95. [rrs] slapcat -l - | remove_dcutree_ldif.py > slapcat.rrs
  96. # Copy rrs.log, uidNumber.txt and slapcat.rrs back to useradm machine.
  97. # Turn off *all* MTAs until ldap is back and all accounts are in sync again.
  98. # Home directories will be moving around a bit, so we don't want mail getting
  99. # bounced.
  100. #
  101. /etc/init.d/exim stop
  102. #
  103. # XXX: This only disables the smtp daemon, invoking sendmail from the command
  104. # line might still start up a local delivery ?
  105. # Any machines which point nss & pam at the master need to be pointed at a
  106. # backup ldap server on another machine as the ldap rebuild will take a few
  107. # minutes, might as well be nice to our users :-)
  108. # Turn off master slapd & slurpd.
  109. #
  110. [ldap-master] /etc/init.d/slapd stop
  111. # Move ldap dbs out to clear db, but keep a backup just in case.
  112. #
  113. [ldap-master] mv /var/db/ldap/redbrick /var/db/ldap/redbrick.pre-sync
  114. [ldap-master] mkdir /var/db/ldap/redbrick
  115. # Now add the new tree.
  116. #
  117. [ldap-master] slapadd -v -l slapcat.rrs
  118. # Make master ldap r/w again, but restrict write access to root only
  119. # by commenting out any "by self write" ACLs in slapd.conf as useradm
  120. # sync needs to set passwords for the new users.
  121. # Start master slapd up again. Don't start slurpd.
  122. #
  123. [ldap-master] /etc/init.d/slapd start
  124. # Remove files which indicate if a renewal has been mailed. These might still
  125. # be here from a previous year's run.
  126. #
  127. [useradm] rm -rf renewal_mailed/
  128. # Do sync stuff. Run *1* step at a time. First with -T to make sure it will do
  129. # the right thing then run the step for real. This will involve hitting ^C
  130. # after completing each step so that test mode can be run on the next step i.e:
  131. #
  132. [useradm] useradm sync -T
  133. # ^C at prompt for next step
  134. [useradm] useradm sync
  135. # ^C at prompt for next step, rinse, wash, repeat.
  136. # The sync command is designed to be run again and again, i.e. there won't
  137. # be any repeated actions (which is why a record is kept of which users were
  138. # sent a renewal mail). This is useful if it bombs out at any stage!
  139. # Stop master slapd.
  140. #
  141. [ldap-master] /etc/init.d/slapd stop
  142. # Take post-sync backup now that it's shutdown.
  143. #
  144. [ldap-master] slapcat -v -l slapcat.post-sync
  145. # Move ldap dbs out to clear db, but keep a backup just in case.
  146. #
  147. [ldap-master] mv /var/db/ldap/redbrick /var/db/ldap/redbrick.post-sync
  148. [ldap-master] mkdir /var/db/ldap/redbrick
  149. # Re-add post-sync backup so that it's all nicely indexed.
  150. #
  151. [ldap-master] slapcat -v -l slapcat.post-sync
  152. # Go back to full r/w slapd again, so re-enable user write access.
  153. # Point nss & pam back to master server on machines that were changed.
  154. # Restart nscd on all machines.
  155. # Start MTA.
  156. # Load slapcat.post-sync on ldap backup servers using similar procedure
  157. # (redirect nss & pam, shutdown slapd, move dbs out, slapadd, start slapd,
  158. # point nss & pam back again)
  159. #======================================================================
  160. # LATER ON...
  161. #======================================================================
  162. # A month or two after c&s day, unpaid accounts need to be disabled
  163. # and the unpaid accounts from last year (the "grace" accounts) need
  164. # to be deleted. This is a good time to make a backup! And don't forget
  165. # to log your session, so you have a record. It's also no harm to look
  166. # through the list of accounts to be deleted in case you spot one that
  167. # shouldn't be on the list!
  168. #
  169. [useradm] useradm list_unpaid_grace # ...these will be deleted!
  170. [useradm] useradm unpaid_disable
  171. [useradm] useradm unpaid_delete
  172. # Usually people who haven't paid (yet) request their shell to be
  173. # enabled again. Admins can find these fee-evaders:
  174. #
  175. [useradm] useradm list_unpaid_reset
  176. # ...and then crack down on them:
  177. #
  178. [useradm] useradm unpaid_disable