With EnlightenDSM's User menu, administrators can easily manage user and group accounts on either a single file server or across a network of heterogeneous systems.
This chapter describes how to configure users and groups, query for user information, monitor user activity, and create new user templates.
The User menu options are:
Configure
Query
Groups
Activity Monitor
New User Templates
Note: EnlightenDSM supports /etc/passwd file, NIS, and NIS+ naming services.
You can use this module to manage user access and monitor user processes. When you activate this program, a window will appear displaying a list of all current user accounts (Figure 3-1).
You can use this window to:
Add a user
Modify a user
Copy a User
Delete a user
Set or modify a password for a user
Lock a user account
Unlock a user account
Expire a user's password
View a user's information
Monitor user processes
Push NIS maps on any active NIS servers
The rest of this section details each of these options.
Click the Add button to create user accounts. You can do this individually or en masse. The Create New User Account window (Figure 3-2) also gives you the option to use default parameters, as defined in the Configure —> New User Templates window. These defaults ensure all new user accounts in a particular type are created with consistent information (see “New User Templates” for more details).
If you leave one of the fields blank when adding a user account, EnlightenDSM will fill in the field with the default value (where possible) or prompt you for any additional information. After you've filled in all the fields properly and clicked on the Add button, EnlightenDSM will create the user account and home directory, update the appropriate naming service, and create the home directory with the required shell scripts.
The rest of this subsection describes the functionality of this window's fields and buttons.
You can fill in all of these fields manually or have EnlightenDSM set defaults in most of the fields for you. Either way, you need to specify the following five fields before trying to add the user account.
Hostnames
If you want to limit the creation of this account to specific hostnames within a pool, enter those hostnames in this field. If you are using multiple entries, leave a blank between each entry. You can also use the arrow button to the right to select the available hosts from the current pool.
Login name
The Login name is a unique name that identifies a user account. A user needs a login name, and a password to gain access to the system. The login name must be unique and the first character should be set in lower case (e.g., cHE034). You may also use macros in this field; see “User Account Macros” for more details.
This is the user's actual name. This field can identify a person, company, or organization. You can use this field to associate the sometimes cryptic Login name with the actual user's name. On larger systems, this name matching is invaluable.
This field should contain the location where the user will normally access the system. The field can be an office number, an assigned location code, or a department name. This field does not allow punctuation characters.
This field can contain the telephone number, telephone extension, or some other information to help locate and contact the user. The format of the field is user definable.
At this point you can have EnlightenDSM automatically fill in the remainder of the form by clicking on the Add button. The default values entered depend on the values set in the Configure —> New User Templates window.
Or, you can fill in the rest of the fields manually. The fields and their defaults are:
This field contains the UID number. The UNIX operating system uses this number to identify each user. This number does not have to be unique, but should be for easier system administration. Enter the UserID number to be assigned to this user account.
If the New User Template you're using is set to automatically generate a unique UID, then this field will be initialized with that number. See “New User Templates” for more details.
 | Note: If this field is left blank, EnlightenDSM will prompt you for an entry in this field when it tries to create the user. |
Home dir.
The Home dir. field specifies where the user's start-up directory is attached. Most systems will use /usr or /home as the default parent directory. Each user will have their own directory created under the default home directory, for example, /usr/charlie. EnlightenDSM stores home/%u as the default HOME directory unless you change this field.
EnlightenDSM initializes the HOME directory by executing the HOME directory initialization script $ENLIGHTEN/scripts/adduser.rc. This copies the initialization files (e.g., .profile and .cshrc) into the HOME directory. You can modify this script to perform other initialization procedures. See User Management Scripts at the end of this chapter for instructions on doing so.
You may also use macros in this field; see “User Account Macros” for more details.
The Shell is a program that acts as a translator between the user and the UNIX operating system. There may be several standard shells on a system, including the C Shell, the Bourne Shell, the Korn Shell, and the restricted Bourne, C, and Korn Shells. This, however, does not stop experienced users from creating custom shells. Each shell has its own start-up executable program:
| Bourne Shell | /bin/sh | |
| Restricted Bourne Shell | | |
| C Shell | /bin/csh | |
| Korn Shell | /bin/ksh | |
| Restricted Korn Shell | | |
| Other | user defined |
EnlightenDSM uses the Bourne shell as the default shell in this field (/bin/sh). All users on the system do not have to use the same shell; this is a matter of user preference, as each shell offers different functionality. The number of standard shells available for this field depends on your system. Click the arrow button to display a pick list of available shells. This list of available shells comes from the GUI host, not the host to which the user will be added.
Group name
Every user account must be assigned to at least one User Group. The User Group is part of the UNIX security system; each user group has specific read, write, and execute privileges associated with every file created on the system.
Enter the primary Group name for this user or leave this field blank to have the default assigned. Click the arrow button for a pick list of defined User Groups. If you enter a Group Name that does not exist, EnlightenDSM will prompt you for a correct Group Name when it tries to create the user.
You can use this field to put the user in additional user groups. This will effectively give the user more group privileges beyond those set in the primary user group. Enter the names of the user groups to which the user should also belong. Click the arrow button for a pick list of defined User Groups. Select the User Groups and click the Apply button to import them.
The password is part of the UNIX security system. Each user must have a password. You can make the password the same as the user login, and the user can then change the password. Don't use passwords such as spouse names, pet names, or addresses, they are easy for another user to guess. You may also use macros in this field; see “User Account Macros” for more details.
| Note: If the entry in the password field is not long enough, an error message will be displayed when you try to add this user account. |
For systems that support password aging, this optional field contains the time when the password will expire. Once a password has expired, the system will force the user to change their password the next time they log in to the system.
The password expiration time may be rounded up depending on the minimum password expiration interval for the OS.
If this field is left blank, the appropriate default parameter will be used. If no default is set in the User Add window (when you're adding a user), password aging will be turned off for that user. For more details, refer to Appendix D, “Password Aging.”
To specify a time format, see Appendix C, “Time Formats.”
In conjunction with the Expires field, this field defines the minimum period of time that needs to elapse before the user can change his or her password. You can, however, change the user's password at any time by using the Password button in the User Configuration window. See “Password” for more details. To specify a time format, see Appendix C, “Time Formats.”
Mail Alias (Create New User Account Window only)
This field specifies the default mail alias the account will use. An alias designates a short name as the substitute for the full pathname for a particular user or group. You may also use macros in this field; see “User Account Macros” for more details.
Mail Lists
This field specifies which mailing lists will be updated to include this user. A mail list defines a group of people under one alias, so sending mail to that alias will distribute a copy to everyone on that list. Click the arrow button for a pick list of defined Mail Lists.
This window contains the following buttons:
Add
Once you've entered the relevant information, click the Add button to create the user. If the information is incorrect, use the mouse to navigate through the fields and make the necessary changes. When complete, click the Add button again.
Clear Fields
Click the Clear Fields button to clear the existing choices in all fields.
Multi-User Add
Refer to “Multi-User Add” to use this button and the window it generates.
Template
Click this button for a pick list of defined New User Templates. You can use one of these templates to populate default values in the new user's account, make any necessary changes, and then Add the user. Only those fields that are currently blank (in the Create New User Account window) will be initialized from your selected template.
Close
Click this button to discard any changes and close the window.
You can also use the Create New User Account window to add multiple users in a single operation. Click the Multi-User Add button. The pop-up window shown in Figure 3-3 is then activated for creating new users en masse.
You must first create a text file before you can use this program properly. Each line is the record for one user account. See “Record Format” for details on creating this file.
The rest of this subsection describes the functionality of this window's fields and buttons.
This window contains the following fields:
Filename of Accounts DB
Use this field to specify which database file contains the user account information.
Hostnames
If you want to limit this user's access to specific hostnames within a pool, enter those hostnames in this field. If you are entering multiple entries, leave a blank between each entry. You can also use the arrow button to the right to select the available hosts from the current pool.
If the Userid field (field #5) is left blank in any of the records, EnlightenDSM will assign the first available (unique) Userid found (higher than the UID entered in this field). Click the arrow button on the right to view the already assigned UserIDs. A pop-up menu will appear with a current list of UserIDs. Highlight the desired ID number and then click the Apply button. EnlightenDSM will automatically insert the starting Userid into the appropriate record.
If the GroupID Number field (field #6) is left blank in any of the records, EnlightenDSM will use this field to assign those users a default Group Name. Click the arrow button on the right to view a current list of User Groups. Highlight the desired entry in the pop-up menu and then click the Apply button to make the selection. EnlightenDSM will automatically insert the Group Name into the appropriate record.
If the Home Directory field (field #7) is left blank in any of the records, EnlightenDSM will use this field to assign those users a default Home directory. Use the full pathname of the parent directory where all user's HOME directories will be created.
If you specify a HOME directory that does not exist, EnlightenDSM creates and initializes it. EnlightenDSM initializes the HOME directory by executing the HOME directory initialization script $ENLIGHTEN/scripts/adduser.rc. This copies the initialization files (e.g., .profile and .cshrc) into the HOME directory. You can modify this script to perform other initialization procedures. See User Management Scripts at the end of this chapter for instructions on doing so.
You may also use macros in this field; see “User Account Macros” for more details.
If the Shell field (field #8) is left blank in any of the records, EnlightenDSM will use this field to assign those users a default shell. Click the arrow button on the right to view a current list of shells. Highlight the desired entry in the pop-up menu and then click the Apply button to make the selection. EnlightenDSM will automatically insert the shell name into the appropriate record.
Mail Alias
This field specifies the default mail alias the account will use. An alias designates a short name as the substitute for the full pathname for a particular user or group. You may also use macros in this field; see “User Account Macros” for more details.
Mail Lists
This field specifies which mailing lists will be updated to include this user. A mail list defines a group of people under one alias, so sending mail to that alias will distribute a copy to everyone on that list. Click the arrow button for a pick list of defined Mail Lists.
Default Password Configuration
When a user is created in UNIX, he or she must be assigned a password. If the password field (field #9) is left blank in the database record, the system must be told which method to use to create a password. Choose one of the following options as the default:
Add all users with the same initial password (the default)
Generate random password for each user
Password same as user name
Use this field if you choose to add all users with the same initial password. Enter the password to be assigned to all the user accounts created from this process. Remember to check later and make sure each new user has changed his or her initial password. You may also use macros in this field; see “User Account Macros” for more details.
For systems that support password aging, this optional field contains the time when the password will expire. Once a password has expired, the system will force the user to change their password the next time they log in to the system.
If this field is left blank, the appropriate default parameter will be used. If no default is set in the User Add window (when you're adding a user), password aging will be turned off for that user. For more details, refer to Appendix D, “Password Aging.”
To specify a time format; see Appendix C, “Time Formats.”
In conjunction with the Expires field, this field defines the minimum period of time that needs to elapse before the user can change his or her password. You can, however, change the user's password at any time via EnlightenDSM.
To specify a time format, see Appendix C, “Time Formats.”
This window contains the following buttons:
Add
Once you've entered the relevant information, click the Add button to start the user account creation process. EnlightenDSM first checks that all field entries are valid and then starts creating the new user accounts.
EnlightenDSM will then output a list of generated passwords after all the accounts have been created. Click the Print button if you want to print the list.
Clear Fields
Click this button to clear the existing choices in all fields.
Template
Click this button for a pick list of defined New User Templates. You can use one of these templates to populate default values in the new user's account, make any necessary changes, and then Add the user. Only those fields that are currently blank (in the Create New User Account window) will be initialized from your selected template.
LDAP
The LDAP icon will query the LDAP server(s) specified within the params configuration file every time it is depressed and load the configured input fields with addition user information found on the LDAP server.
See “LDAP” for further information on using this feature.
Close
Click this button to discard any changes and close the window.
The format for each record in the text file is:
Field # | Description | Comment |
|---|---|---|
1 | Login Name | Mandatory |
2 | User Real Name | Mandatory |
3 | Office | Optional |
4 | Telephone | Optional |
5 | Userid Number | Optional |
6 | Groupid Number | Optional |
7 | Home Directory | Optional |
8 | Shell | Optional |
9 | Password | Optional |
Each record (line) in the file represents one user. Each user can have up to nine fields in the record. Use a comma (,) to separate each field specified. Each record is terminated with a carriage return (<CR>). There is no limit to the amount of records you can specify in the file.
The following example sets the account details for five people.
fred,The Fredster barney,The Barnarama,Head office wilma,Wilma Fraglerock,,233-7625 betty,Betty Boomrock,,,401,other bambam,Boom,,,403,other,/usr/bambam,/bin/sh,bedrock |
The LDAP icon will query the LDAP server(s) specified within the params configuration file every time it is depressed and load the configured input fields with addition user information found on the LDAP server.
The interface provided allows for information about a user to be retrieved from a LDAP server to aid in the creation of the user's UNIX account. Thru the use of keyword parameters specified in the PARAMS configuration file, located in the /config subdirectory under the $ENLIGHTEN directory tree, the ADD USER window is able to load field values about a user when creating an account. The following keywords are used in the PARAMS file to configure this functionality:
LDAPSERVER: ON | OFF
This entry enables or disables the LDAP functionality within the ADD USER window.
LDAPSERVERURL: <a URL string>
A LDAP URL string has a format of LDAP://<host>[:<port>]/<dn>
Host may be a single entry or a space separated list of entries being either hostnames or IP addresses. :<Port> is an optional alternate port specifier which can be used if the LDAP server uses a non-standard port number. <dn> is a LDAP Distinguished Name string which specifies the top of the search tree for locating users.
LDAPREALNAME: <attribute>[<sep><attribute>...]
LDAPOFFICE: <attribute>[<sep><attribute>...]
LDAPTELEPHONE: <attribute>[<sep><attribute>...]
LDAPLOGINNAME: <attribute>[<sep><attribute>...]
LDAPUSERID: <attribute>[<sep><attribute>...]
These keywords are optional and when present specify a string to be placed in there corresponding field in the ADD USER window. Attribute is a LDAP Attribute name which is replaced by its value for the user located. Sep is any non-alpha character. This syntax allows for a list of attributes using any non-alpha character, including a space, for separating the attributes.
Within the ADD USER window the contents of the Real Name field is used for locating a user via the LDAP server(s). The value may be a users full name separated with spaces or a partial name using strings that begin the users first and/or last names. The LDAP icon in the ADD USER window will use this value and query the LDAP server(s) every time it is depressed. If an exact match can not be found a dialog box will be displayed asking if another search should be performed using the value as a partial specification of the users name. If more than one user is located or if the user located was not an exact match then a list box will be displayed containing the entries returned by the LDAP server(s). When an exact match is found or an entry is selected from the list box the keywords in the params file that represent input fields which have also not had any value previously entered, will have the evaluated attribute list specified loaded for the LDAP user located.
CONFIGURATION
To use the LDAP facility you will need to obtain the name or IP address of your LDAP server, the Distinguished Name of your organization within the LDAP server, and the LDAP Attribute names that you wish to use as field values for the ADD USER window. You may also need a port number if your organization has located there LDAP server on a non-standard port. Your System Administrator should be able to supply you with all of the above mentioned information.
First you need to modify the params configuration file for EnlightenDSM. This file is located in the /config subdirectory under the $ENLIGHTEN directory tree and can be edited with any standard text editor like vi or emacs using the file name $ENLIGHTEN/config/params. From with the text editor search for the string LDAP to find the section containing the LDAP keywords. The first keyword should be LDAPSERVER and will need its value of OFF changed to ON. Next you will need to add your organizations LDAP server name and Distinguished Name to the LDAPSERVERURL keyword. For example if your LDAP server was located on a machine named boris and had a Distinguished Name of o=Enlighten, c=US then you would append the string:
LDAP://boris/o=Enlighten,c=US |
to the keyword LDAPSERVERURL. And if there was a non-standard port number being used like 89:
LDAP://boris:89/o=Enlighten,c=US |
Last, you will need to decide which input fields from the list of allowable fields (REALNAME,OFFICE,TELEPHONE,LOGINNAME,USERID) that you would like to have filled in with attribute values from the LDAP server. For example, if you want to have the input field OFFICE to be filled in with the value from the LDAP attributes building and roomnumber you would append the string:
building,roomnumber |
to the keyword LDAPOFFICE.
Using the above examples your params configuration file should like as follows:
LDAPSERVER ON LDAPSERVERURL LDAP://boris/o=Enlighten,c=US LDAPOFFICE building,roomnumber |
You are configured to use the LDAP facility from within the ADD USER window. To test your configuration settings run the EnlightenDSM product and navigate to the ADD USER window from the Configure Users menu entry under the USERS icon. The correct window will have a LDAP icon second from the end in the middle box of the window. Type a single letter into the Real Name input field within this window and depress the LDAP icon. You should receive a dialog box asking to repeat the search as a exact match was not found. Answer yes by clicking the Yes icon within the dialog box and you should see a list box displayed with the first 20 user's whose names start with the letter type. Select one of the users. The building number and room number should now be displayed in the office input field. You may now either cancel the window or continue to add the user account to the system.
Click this button to modify user accounts. A pop-up window similar to the Create New User Account window will appear, except you cannot modify the Login name or Password fields.
There are also two button differences in the Modify window:
You can use the Modify button (rather than the Add button) after you've made all your changes, and
You can use the Next button to modify additional user accounts if you've selected more than one account to modify from the User Configuration list.
For a description of the rest of the buttons and fields in this window, see “Add”.
Click this button to copy user accounts from one host to another host. A pop-up window similar to the Create New User Account window will appear. There are three differences between these windows:
The Login Name and Password fields are read-only in the Copy window.
Use the Copy button to save changes (rather than the Add button).
Use the Next button to modify additional accounts if more than one account was chosen for copying.
For a description of the rest of the buttons and fields in this window, see “Add”.
Click this button to easily delete a user from the system. This program will delete the user account and also (optionally) remove the HOME directory and all of its contents (files and subdirectories) associated with the user. Highlight the username(s) you wish to delete from the system and then click the Delete button. EnlightenDSM will prompt you to confirm your action.
| Note: When deleting local user accounts across multiple hosts, the user's home directory will not be deleted if the home directory is the same on all hosts. EnlightenDSM assumes they are shared. |
EnlightenDSM will NOT delete the users HOME directory if:
It is considered to be a required directory. The directories are:
/usr /etc /bin /lib /home /dev /sbin /usr/bin /usr/adm /usr/lib /usr/sbin /usr/man /usr/lib/uucp
It is shared by more than one user. In this case, the HOME directory is not deleted since this would also delete the HOME directory of any sharing co-users.
It is not owned by the user whose HOME directory it is supposed to be. In this case, EnlightenDSM will then ask for your confirmation before deleting it.
Furthermore, EnlightenDSM will not delete the root user account; this is considered to be too dangerous to allow.
Click this button to change a currently defined User Account password. You don't need to know the password. A pop-up window will ask you to set the new password for the highlighted user (Figure 3-4).
If you have selected multiple usernames, clicking the Apply button will set the current password and bring up the next user. Clicking the Next button causes EnlightenDSM to skip to the next selected user without changing the user's password.
Click the Close button to discontinue changing passwords. Any previous changes made by using the Apply button remain; they are not undone by clicking this button.
Click this button to deny a specific user access to the system without deleting the user's account. This procedure is part of the EnlightenDSM security module; be cautious about who can access it. A pop-up window will prompt you to confirm this action.
| Note: You must assign a new password to unlock a user—the existing password will be lost! See the previous section to assign a password. |
Click this button to remove a lock from a user account. Because locking and unlocking user accounts is considered part of system security, EnlightenDSM will ask for a new password when it unlocks a User Account. See “Password” to create the new password.
Click this button to expire the password for the selected user account(s) immediately. This option will only work on systems that support password aging. The next time the user attempts to log in to the system, he or she will be forced to change his/her password. You must confirm this option before it will be executed.
For more details on password aging, see Appendix D, “Password Aging.”
Click this button to view existing User Account information. A pop-up window will appear (Figure 3-5).
The View User window is similar to the Create New User Account window. It has two additional fields that contain:
The date and time the user last logged in to the system (if available), and
The date and possibly the time the user last changed their password (if available).
This is a read-only window; no modifications may be made. If you have highlighted multiple usernames, click the Next button to see the next highlighted username.
See “Add” for a description of the display fields in this window. Refer to “Modify” to modify this information.
This command displays a window of all processes currently running that belong to the highlighted users. To view the processes, highlight the users you wish to view and then click the Processes button. A window will appear displaying all processes for the highlighted users. To further manipulate this information, see “Process Status”.
Click this button to push/remake the NIS maps on any active NIS servers. This updates the NIS servers and hosts on your network with any Host Entry changes you've made to the Configuration list. If there are no NIS servers to update for your choice(s), EnlightenDSM will display a dialog box telling you so.
You can use this module to query desired User account information on one or more users depending on your search criteria. You can search for active or inactive accounts, accounts using a specific shell, accounts assigned to specific office locations, and so on. Once your query is successful, you can then modify the accounts, monitor the accounts, print the account configurations, or send mail to the marked users.
When you activate this program, the following window will appear (Figure 3-6).
This window gives you the ability to search for information about the user that otherwise might be tedious and time-consuming to gather. The rest of this section describes the functionality of this window's fields and buttons. For additional descriptions of the field names, see “Add”.
This window contains the following fields:
You can use this field to specify that one or more user names will be used in the search criteria. Multiple user names may be entered, but must be separated by spaces.
You can use this field to specify that one or more group names will be used in the search criteria. Multiple group names may be entered, but must be separated by spaces.
You can use these fields to limit the range of the User IDs in the search criteria. This data must be numeric. When EnlightenDSM performs the search, user accounts whose UserID is less than or greater than the respective values are ignored.
You can use these fields to limit the range of the Group IDs in the search criteria. This data must be numeric. When EnlightenDSM performs the search, user accounts whose GroupID is less than or greater than the respective values are ignored.
You can use this field to find all users whose home directory matches this search criteria. Multiple directory names may be entered, but must be separated by spaces.
The standard UNIX wild cards `*', `[]', and `?', along with the negation operator `!', can be used in this field (e.g., /home/*).
You can use this field to find all shell programs that match this search criteria. Multiple shell names may be entered, but must be separated by spaces.
The standard UNIX wild cards `*', `[]', and `?', along with the negation operator `!', can be used as in this field (e.g., /bin/[ck]sh).
You can use this field to find all users whose Real Name matches this search criterion. Multiple names may be entered, but must be separated by spaces.
You can use this field to find all users whose Office description matches this search criterion. Multiple locations may be entered, but must be separated by spaces.
You can use this field to find all users whose telephone number matches this search criterion. Multiple telephone numbers may be entered, but must be separated by spaces.
Every time a user gains access to the system, the system date is recorded. You can use this field to search for users based on the time of their last system login on the local system. If the user's date of last login is earlier than the date in this field, the search will skip the user.
This field can be used in two ways. The first is as a static date, where the date entered is the date used in the search. The second is a relative date, against the system clock. To specify a time format, see Appendix C, “Time Formats.”
Every time a user gains access to the system, the system date is recorded. You can use this field to specify a cutoff date the search program will use to match users. If the date of last login of a user is later than the date entered in this field, the search will skip the user.
To specify a time format, see Appendix C, “Time Formats.”
You must indicate which Password type is used in the search criteria: Encrypted, Locked, or None. Any combination of one or more of these three attributes may be selected (the default is all three).
This window contains the following buttons:
Execute Search
Once you've selected your search criteria, click the Execute Search button. A User Query Results window appears with the results listed. If you click this button without filling in any of the fields, all current user's information will be displayed.
Then you can use the following options to act further on the results:
Modify
Delete
Password
Lock
Unlock
Expire
View
Processes
See “Configure” for more details.
Clear Fields
Click this button to clear the existing choices in all fields.
Close
Click this button to discard any changes and close the window.
You can use this module to add, modify, delete, or assign users to a group(s). EnlightenDSM will display the list of currently configured user groups, as shown in Figure 3-7.
The rest of this section details how to use the functionality of this module.
Click the Add button to create a new user group. A pop-up window will appear prompting you for the Hostnames, Group Name, and Group ID (Figure 3-8).
This window contains the following fields:
Hostnames
If you want to limit the creation of this group to specific hostnames within a pool, enter those hostnames in this field. If you are entering multiple entries, leave a blank between each entry. You can also use the arrow button to the right to select the available hosts from the current pool.
Group Name
The Group Name represents how this group will be identified. In most cases the name is related to the activities of the group. For example, the general accounting department group might be known as acctgen while the accounting supervisors group may be called acctsup. Enter the new User Group Name.
The Group ID (or GID) is how the operating system refers to the User Group. The Group ID is a numeric way of referring to a User Group, while the Group Name is the more user friendly way of referring to the same Group. Enter the GID number. Decimals are not allowed in this field.
Click this button to modify a group's parameters. A pop-up window similar to the Add Group window will appear, except you cannot modify the Hostnames field. To modify more than one group at a time, you must highlight each group individually before proceeding.
There are two additional buttons in the Modify window:
Click the Modify button (rather than the Add button) after you've made all your changes, and
Click the Next button to modify additional user accounts if you've selected more than one account to modify from the User Configuration list.
For a description of the rest of the buttons and fields in this window, see “Add”.
Click this button to delete a group definition. EnlightenDSM will prompt you to confirm your action. This command will remove the currently highlighted User Group from the system and also delete any links between the User Group and members of the group.
Click this button to add users, delete users, or move users to another group. A window will appear (Figure 3-9).
The rest of this subsection details how to use these window buttons.
Click this button to add users to a group. After you do so, a pop-up menu will be brought up showing all current users on the system. Highlight the users to add to this group and click the Apply button.
Click this button to delete one, some, or all of the users from the currently selected User Group. A pop-up window will appear asking you to confirm this action.
Click this button to move one or more User Accounts from the currently selected User Group to another defined User Group. A pop-up window will appear requesting the name of the new user group. You can also click the arrow button on the right to display a pick list of available groups. Highlight the group you wish to move the users to and then click Apply.
When you've selected a new user group, click the Apply button in the New User Group window. EnlightenDSM will then prompt you to confirm that each marked user should be moved to the new user group.
You can use this module to monitor login activity, process statuses, and CPU usage by user. The actual options are:
Who is Logged In
Process Status
CPU Summary
The rest of this section details how to use each of these options.
You can use this program to see at a glance which users are currently logged in (accessing) the system (Figure 3-10). The program displays the following information: Hostname, Username, TTY, Login Time, Idle Time, Process ID, and the location of the TTY (if available).
You may select one or more user accounts for further processing by highlighting the desired users. Then select one of the following menu options:
Use the Write command to write a message directly to the highlighted users. When you click the Write button, a window will appear. You can now write a message of any length to each of the highlighted users (one at a time). When you have completed your message, press the <return> key and the message will be sent. To close down the window, press <Control>-C or the interrupt key. The recipient can respond to this message.
The Message command is similar to the Mail command (see Appendix A, “EnlightenDSM Basics,” in the EnlightenDSM User Guide), except a predefined or custom form letter is sent directly to the user's screen instead of the user's mailbox. Messages can only be sent to users logged in through the console. The recipient cannot reply to this message.
This command will terminate all highlighted work sessions by killing the initial Shell process belonging to the marked users.
| Note: This command can be dangerous as it may also cause related user processes to be killed. Be careful! |
This command displays a window of all processes currently running that belong to the highlighted users. To view the processes, highlight the users you wish to view and then click the Processes button. A window will appear displaying all processes for the highlighted users. To further manipulate this information, see the next section, “Process Status.”
You can use this menu item to display a list of all active processes (Figure 3-11).
Then you can select a process and use the menu buttons to impact it, as described in the following subsections.
This command is very powerful and can be extremely dangerous. It will immediately kill the highlighted process. This command will not kill related processes, so if there are child processes running they will become orphans and will have to be terminated separately. A pop-up window will prompt you for verification to terminate the process.
This command is similar to the Terminate command, except it provides enough time for the process to shut down properly. This means the process can close any files and terminate any child processes. A pop-up window will prompt you for verification to hang up the process.
This command stops a process from working, but it does not terminate the process. Essentially, this command puts a process on hold; it can be activated again at a later time. You must use the Continue command to re-activate a suspended process. A pop-up window will prompt you for verification to suspend the process.
This command allows you to re-activate a process that was previously put on hold by a Suspend command. A pop-up window will prompt you for verification to resume the process.
This command allows you to change the priority of a process. This priority determines when the CPU acts on a process. It may have a value from –19 to +19; the smaller the number, the higher the priority. Clicking the Priority button activates a Process Priority window. You can enter the desired priority or use the arrow buttons to make your selection.
This program allows you to view a breakdown of CPU usage by user. The Summary of Process window will show all currently logged in users, the current number of processes, and the total cumulative CPU usage for each active user (Figure 3-12).
You now have the option to Graph all or selected processes, or to view individual processes.
To graph the processes, highlight the information you wish to view and then click the Graph button. A window will appear displaying the highlighted items in a graphical format.
To view the processes, highlight the users you wish to view and then click the Processes button. A window will appear displaying all processes for the highlighted users. To further manipulate this information, see “Process Status”.
You can use User account templates to facilitate the creation of new user accounts.
Each template specifies the defaults EnlightenDSM will use when it adds a new user to the system. If you leave a field blank when you're adding a new user account, EnlightenDSM will substitute the default parameters set up for that field.
Choose New User Templates from the User menu to display the New User Template Configuration window (Figure 3-13).
From here, you have the option to:
Add Create a new template. No fields are initialized
Modify Modify the highlighted template
Delete Delete the highlighted template
Copy Create a second template using the values in the selected template as a starting point
Click this button to create a new template. The New User Template Add window will appear (Figure 3-14).
The window has the following fields:
Template Name
Use this field to specify the template's name.
Description
Use this field to briefly describe this template's purpose. This is used by other commands, such as Session Preferences and Adding Users, when you want a pop-up list of available templates displayed.
Login Name Macro
Use this field to specify a macro for the user name. See “User Account Macros” for more information.
Home directory
The Home directory field specifies where the user's start-up directory is attached. Most systems will use /usr or /home as the default parent directory. Each user will have their own directory created under the default home directory; for example, /usr/charlie. EnlightenDSM stores /usr as the default HOME directory unless you change this field. If the default Home Directory is /eng, and the login name of the new user account is fred, the name of the HOME directory EnlightenDSM generates would be:
/eng/fred |
You can also use macros in this field. See “User Account Macros” for more information.
The Shell is a program that acts as a translator between the user and the UNIX operating system. There may be several standard shells on a system, including the C Shell, the Bourne Shell, the Korn Shell and the restricted Bourne, C, and Korn Shells. Each shell has its own start-up executable program as shown below.
| Bourne Shell | /bin/sh | |
| Bourne Shell | /bin/sh | |
| Restricted Bourne Shell | | |
| C Shell | /bin/csh | |
| Korn Shell | /bin/ksh | |
| Restricted Korn Shell | | |
| Other | user defined |
EnlightenDSM uses the Bourne shell as the default shell in this field (/bin/sh). The number of standard shells available for this field depends on your system. Click the arrow button to display a pick list of available shells.
Primary Group Name
Every user account must be assigned to at least one User Group. The User Group is part of the UNIX security system; each user group has specific read, write, and execute privileges associated with every file created on the system.
Enter the Primary Group Name for this template. You can also click the arrow button for a pick list of defined User Groups and make your selection from there. If you enter a Primary Group Name that does not exist, EnlightenDSM will prompt for a correct Group Name when it tries to create the user.
You can use this field to put the user in additional user groups. This will effectively give the user more group privileges beyond those set in the primary user group. Enter the names of the user groups to which the user should also belong. If you are using multiple entries, leave a blank between each entry.
You can also click the arrow button for a pick list of defined User Groups. Select the User Groups and click the Apply button to import them.
UID Range from... To
You can use these fields to define a UID range for the template. This range is used if you set the next field to have a UID automatically generated for the user.
Automatically Generate Unique UID if it's missing
Each user account created must have a UserID number. Use this toggle to choose whether a unique UID is generated for a new user if you don't specify one during creation of the new user account. The default is not to (No).
The password is part of the UNIX security system. Each user must have a password. If you make the password the same as the user login, the user can then reset the password to one of his or her own choice. Don't use passwords, such as spouse names, pet names, or addresses, that are easy for another user to guess.
You can also use macros in this field. See “User Account Macros” for more information.
| Note: If the entry in the password field is not long enough, an error message will be displayed when you try to add this user account. |
For systems that support password aging, this optional field allows you to set the time when the password will expire. Once a password has expired, the system will force the user to change their password the next time they log in to the system.
If this field is left blank, the appropriate default parameter will be used. If no default is set in the User Add window (when you're adding a user), password aging will be turned off for that user. For more details, refer to Appendix D, “Password Aging.”
To specify a time format, see Appendix C, “Time Formats.”
In conjunction with the previous field, this field defines the minimum period of time that needs to elapse before the user can change his or her password. To specify a time format, see Appendix C, “Time Formats.”
| Note: You can change the user's password at any time by using the Password button in the User Configuration window. See “Password” for more details. |
Minimum Password Length
Each user account has a password associated with it. This password is defined when the user account is created and may be changed any time thereafter. This field accepts a numeric entry defining the minimum length that the (new) password must be whenever the password is created or modified. You can also use the counter buttons on the right to increment or decrement the number shown.
| Note: If you set this value to zero, the user does not need to use a password when logging in to the system; however, the user will be asked by the system to enter a password. The user can then log in by hitting the <return> key. |
Require user to have a password
It may be necessary for a user to have no password. By default, EnlightenDSM forces each user to have a password. To configure user accounts with no password, set this toggle to No.
Mail Alias
This field specifies the default mail alias the account will use. An alias designates a short name as the substitute for the full pathname for a particular user or group, for example, laura for [email protected].
You can also use macros in this field. See “User Account Macros” for more information.
Mail Lists
This field specifies which mailing lists will be updated to include this user account. A mail list defines a group of people under one alias, so sending mail to that alias will distribute a copy to everyone on that list. If you are using multiple entries, leave a blank between each entry. You can also click the arrow button for a pick list of defined Mail Lists and make your selection(s) from there.
The New User Template Add window has the following buttons:
Add
Once you've specified all the values for the new user template, click this button to save it. Then you can access this template when you are setting your session preferences (see “Session Preferences”) or adding users (see “Add”).
Clear Fields
Click this button to clear the existing choices in all fields.
Cancel
Click this button to close the window without making any changes.
Click this button to modify a template's values. A pop-up window similar to the New User Template Add window will appear, except the Template Name field is view-only.
There are also two button differences in the Modify window:
Click the Modify button (rather than the Add button) after you've made all your changes, or
Click the Next button to modify additional templates if you've selected more than one to modify from the template list.
For a description of the rest of the buttons and fields in this window, see “Add”.
Click this button to delete a template from the template list. EnlightenDSM will prompt you to confirm your action.
Click this button to copy the set of values in the selected template to a second template. The User New Template Add window will appear showing the highlighted template's values in each of the fields. You can edit this window as needed and then click the Add button to complete the copy.
See “Add” for a description of how to use this window's fields and buttons.
These scripts allow you to customize the actions taken when creating, modifying or deleting user accounts.
adduser.rc. Xenln calls this script when it creates a user, after the password entry is added. Because this script uses environment variables (instead of command line options like user.rc used to), the information does not have be renumbered when one is added or deleted.
Supported variables:
pw_createhomedir copies the CREATEHOMEDIR params file entry. If the params file entry is missing, then pw_creathomedir is set to "1".
pw_realname, pw_telephone, pw_shell, pw_uid, pw_gid and pw_lname correspond to Real name, Telephone, Shell, User ID, Group name, and Login name, respectively.
pw_home corresponds to Home directory. This field will have the $HOMEDIR macro expansion done with the HOMEDIRLOCAL params file entry (that is, $HOMEDIR in the GUI field will be replaced by HOMEDIRLOCAL in this parameter, but with HOMEDIRPASSWD when the entry is being written to the password file).
if the home directory field of the GUI contains "$HOMEDIR", then that string will be replaced by the params file entry HOMEDIRPASSWD when the password file entry is written. "$HOMEDIR" will be replaced by the params file entry HOMEDIRLOCAL, and the result will be passed to adduser.rc as the pw_home environment variable.
These scripts can be used to set up automounter maps automatically for new users by modifying the commented examples in the scripts. The example assumes that the $HOMEDIR substitution sets /home/username in the password map and sets $pw_home to /host/realhomedir. The sed commands strip out the host and the real home directory into separate variables, then create the automount mapping. Finally, the example creates a home directory as user.rc used to do.
moduser.rc is similar to adduser.rc, except that it also passes in the following variables:
pw_old_uid pw_old_gid pw_old_shell pw_old_home |
These variables contain the old UID, GID, shell and home directory.
It is left to the user to check these variables against their non-old (that is, check whether pw_gid is the same as pw_old_gid) counterparts to detect changes. For example, a user may do a recursive chown/chgrp if the UID or GID is all that changed, or perhaps a recursive copy if the home directory changed.
No indication of the old contents of the GECOS (full name, office, telephone) field is given. If none of the above 4 variables indicates any change, then this script does nothing.
There are two scripts to handle deleting a user. After the passwd file entry is removed, deluser.rc runs. Then a dialog box asks if the home directory should be removed. Deleting the home directory is done through delhome.rc.
deluser.rc deletes a user. It takes one parameter, pw_lname, the username to delete. This script is called AFTER the passwd file entry has been removed, so the login name is likely the only information that is available.
delhome.rc deletes the home directory. It takes 3 parameters: pw_home, which is the old passwd file home directory entry, pw_homedirlocal, which is the related params file entry, and pw_homedirpasswd, which is also the related params file entry.