VTLUUG has been using was Kerberos and LDAP for authentication since at least September 2012until the [[CVL eviction]]. We have now migrated to an LDAP only domain due to a lack of IPv6 on behind router. Our realm is <code>VTLUUGece.ORG</code> but may change in the future to something under the vt.edu domain. The old Kerberos server was configured to work on IPv6 only therefore we were required to migrate away from its use for authentication.
In April 2013, Kerberos authentication on With the current deployment acidburn was forced because a Debian bug had required passwords to should be sent in plaintext to the LDAP server. If you are unable to login, you'll need to provide sufficient proof of your identity to an officer so your acceptable through normal password can be reset. ==SSH Authentication with Kerberos==Put this in your ~/.authentication over ssh/config: # Kerberos Host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes Then you can just <code>kinit user@VTLUUG.ORG</code> and you should be able There is no need to <code>ssh user@acidburn.vtluug.org</code> without a password. You can also login to any machine on our cluster configure tickets or most of the machines on wood. Note that IPv6 is currently required for getting anything else Kerberos ticketsrelated.
==Account maintenance instructions==
These instructions are for people in the "officers" group; normal members aren't All users will be able to mess with accounts.===New use standard shell commands (such as chsh) to change attributes of their own account creation===On acidburn:* <code>sudo kinit your_user@VTLUUG.ORG</code>* <code>ldapsearch | grep uidNumber | sort </code> Additionally they can make direct requests to the LDAP server (find the lowest unused uidNumber in the 1000-range razor.vtluug.org) using ldapmodify and use that)* <code>sudo /home/mutantmonkey/vtluug-scripts/ldap/adduser.py</code> On blade:<code>* sudo kadminldif files to change attributes as well.local** addprinc username@VTLUUGExplaining .ORG</code> ===Viewing user information===This could be useful for debugging:* <code>kinit</code>* <code>ldapsearch uid=username</code>* <code>kadminldif files and ldapmodify is beyond the scope of this article.local</code> (only on blade)** <code>getprinc username</code>
===Changing user shell===On acidburn or blade:* <code>kinit</code>* <code>ldapmodify <<EOF </code> and input For management of the entire domain officers who know the LDAP root users credentials will be able to log in to the LDAP Administrator web application running on razor.vtluug.org. Information on this: dn: uid=usernameis really only shared on a need to know basis between officers,ou=People,dc=vtluug,dc=org changetype: modify replace: loginShell loginShell: /usr/bin/zsh - EOFand the content is not entirely appropriate for a public wiki.