The process of creating a new group is basically (modified from ticket #263):

identify the next unclaimed group ID in the basic group range (1500 to 1999 for CAL). To do this properly from cal-admin, we should probably store the "next gid" in LDAP analogously to ou=nextUid,ou=admin,dc=astro,dc=columbia,dc=edu, but for doing it by hand, you can probably just look at the group IDs already present with:

 getent group | cut -f1,3 -d: --output-delimiter=' ' | sort -n -k2 | less

then create an ldif file analogous to this example from the caladmins group:

 dn: cn=caladmins,ou=Groups,dc=astro,dc=columbia,dc=edu
 objectClass: posixGroup
 cn: caladmins
 gidNumber: 1500
 description: Administrators for the Columbia Astrophysics Laboratory
 memberUid: dkg
 memberUid: cdelacruz

NOTES: Check every line of the file to make sure it's right!

  • Make sure the gidNumber is not already taken by another group.
  • Make sure the cn in the dn: line matches that in the cn: line.
  • Make sure the cn is not already taken by another group.
  • Make sure the description is correct.
  • Make sure that the members are properly assigned.
  • Triple-check the file before proceeding!

Finally, if you have initialized yer krb5 ccache for an admin principal, and you have the triple-checked ldif file in foo.ldif, you can install it in ldap with:

 ldapadd -ZZ -f foo.ldif

Note: /usr/sbin/cal-admin should be extended to encompass group creation.

Further reading: