ocfstaff If you have root privileges, you can add or remove people from ocfstaff by
editing the group in LDAP:
$ kinit you/admin
you/admin@OCF.BERKELEY.EDU's Password:
$ ldapvi cn=ocfstaff
Then add or remove the appropriate memberUid attribute.
ocfroot Before giving anyone root privileges, make sure to obtain authorization from the SM.
Adding or removing people from ocfroot is similar to modifying
ocfstaff. However, if you are adding someone to root staff, in addition to
modifying LDAP, you will also have to create their /root and /admin
principals (if those don't already exist). For example, to create the
/admin principal, you would do:
$ kadmin
kadmin> add otherstaffer/admin
you/admin@OCF.BERKELEY.EDU's Password:
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Policy [default]:
otherstaffer/admin@OCF.BERKELEY.EDU's Password:
Verify password - otherstaffer/admin@OCF.BERKELEY.EDU's Password:
At the very first prompt, you are prompted for your password. It's safe to
accept the defaults for the next few prompts. The last two prompts should be
filled in by the new root staffer; it will become the password for their
/root or /admin principal.
After you've created these principals, you'll need to grant them powers in the Kerberos ACL file in Puppet.
Also add the new root staffer to the Admin team in our GitHub org and grant them RT admin privileges.
TODO
In order to gain access to the firewall, it is necessary to email someone from the ASUC Student Union to ask them to fill out the Telecom Shopping Cart on your behalf. Send them an email with the CalNet IDs of the people you want to add to the firewall, and have an existing firewall administrator authorize the request. As of Fall 2017, the Facilities Coordinator has worked to get new people added to the firewall, although it is likely that this process will change in Spring/Fall 2018 when the firewall is changed as part of the bSecure project.