2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. vaq1552681912484
|
|
|
|
|
.. _create-ldap-linux-accounts:
|
|
|
|
|
|
|
|
|
|
==========================
|
|
|
|
|
Create LDAP Linux Accounts
|
|
|
|
|
==========================
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
|prod| includes a script for creating |LDAP| Linux accounts.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. rubric:: |context|
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
.. note::
|
|
|
|
|
For security reasons, it is recommended that ONLY admin level users be
|
|
|
|
|
allowed to |SSH| to the nodes of the |prod|. Non-admin level users should
|
2022-05-20 10:32:15 -03:00
|
|
|
strictly use remote CLIs or remote web GUIs.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
The :command:`ldapusersetup` command provides an interactive method for setting
|
|
|
|
|
up |LDAP| Linux user accounts.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
Centralized management is implemented using two |LDAP| servers, one running on
|
|
|
|
|
each controller node. |LDAP| server synchronization is automatic using the
|
|
|
|
|
native |LDAP| content synchronization protocol.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
A set of |LDAP| commands is available to operate on |LDAP| user accounts. The
|
2020-08-31 11:01:56 -04:00
|
|
|
commands are installed in the directory /usr/local/sbin, and are available to
|
|
|
|
|
any user account in the sudoers list. Included commands are
|
|
|
|
|
:command:`lsldap`, :command:`ldapadduser`, :command:`ldapdeleteuser`, and
|
|
|
|
|
several others starting with the prefix :command:`ldap`.
|
|
|
|
|
|
|
|
|
|
Use the command option --help on any command to display a brief help message,
|
|
|
|
|
as illustrated below.
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
|
|
|
|
$ ldapadduser --help
|
|
|
|
|
Usage : /usr/local/sbin/ldapadduser <username> <groupname | gid> [uid]
|
|
|
|
|
$ ldapdeleteuser --help
|
|
|
|
|
Usage : /usr/local/sbin/ldapdeleteuser <username | uid>
|
|
|
|
|
|
|
|
|
|
.. rubric:: |prereq|
|
|
|
|
|
|
|
|
|
|
For convenience, identify the user's Keystone account user name in |prod-long|.
|
|
|
|
|
|
|
|
|
|
.. rubric:: |proc|
|
|
|
|
|
|
|
|
|
|
#. Log in as **sysadmin**, and start the :command:`ldapusersetup` script.
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
|
|
|
|
controller-0: ~$ sudo ldapusersetup
|
|
|
|
|
|
|
|
|
|
#. Follow the interactive steps in the script.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#. Provide a user name.
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
2024-01-16 06:40:50 +00:00
|
|
|
Enter username to add to LDAP: teamadmin
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
2024-01-16 06:40:50 +00:00
|
|
|
Successfully added user teamadmin to LDAP
|
|
|
|
|
Successfully set password for user teamadmin
|
|
|
|
|
Warning : password is reset, user will be asked to change password at login
|
2020-08-31 11:01:56 -04:00
|
|
|
|
2024-01-16 06:40:50 +00:00
|
|
|
#. Specify whether the user should have sudo capabilities or not.
|
|
|
|
|
Enabling ``sudo`` privileges allows the LDAP users to execute the
|
|
|
|
|
following operations:
|
2020-08-31 11:01:56 -04:00
|
|
|
|
2024-01-16 06:40:50 +00:00
|
|
|
- ``sw_patch`` to unauthenticated endpoint
|
|
|
|
|
- ``docker`` and/or ``crictl`` commands to communicate with the respective daemons
|
|
|
|
|
- Utilities ``show-certs.sh`` and ``license-install`` (recovery only)
|
|
|
|
|
- IP configuration for local network setup
|
|
|
|
|
- Password change of local openldap users
|
|
|
|
|
- Access to restricted files, example: restricted logs
|
|
|
|
|
- Manual reboots
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
|
|
|
|
Add teamadmin to sudoer list? (yes/NO): yes
|
|
|
|
|
Successfully added sudo access for user teamadmin to LDAP
|
|
|
|
|
|
|
|
|
|
#. Specify a secondary user group for this |LDAP| user. For example, ``sys_protected group``.
|
|
|
|
|
|
|
|
|
|
The purpose of having OpenLDAP/WAD users as a part of the ``sys_protected`` group on the |prod|
|
|
|
|
|
platform is to allow them to execute the |prod| system operations via
|
|
|
|
|
``source/etc/platform/openrc``. The LDAP user in the ``sys_protected`` group will be
|
|
|
|
|
equivalent to the special ``sysadmin`` bootstrap user, and will have the following:
|
|
|
|
|
|
|
|
|
|
- Keystone admin/admin identity and credentials
|
|
|
|
|
- Kubernetes ``/etc/kubernetes/admin.conf`` credentials
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
2024-01-16 06:40:50 +00:00
|
|
|
Add teamadmin to secondary user group? (yes/NO): yes
|
|
|
|
|
Secondary group to add user to? [sys_protected]:
|
|
|
|
|
Successfully added user teamadmin to group cn=sys_protected,ou=Group,dc=cgcs,dc=local
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
#. Change the password duration.
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
|
|
|
|
Enter days after which user password must be changed [90]:
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
2022-05-20 10:32:15 -03:00
|
|
|
Successfully modified user entry uid=ldapuser1, ou=People, dc=cgcs, dc=local in LDAP
|
2020-08-31 11:01:56 -04:00
|
|
|
Updating password expiry to 90 days
|
|
|
|
|
|
|
|
|
|
#. Change the warning period before the password expires.
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
|
|
|
|
Enter days before password is to expire that user is warned [2]:
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
2024-01-16 06:40:50 +00:00
|
|
|
Successfully modified user entry uid=teamadmin,ou=People,dc=cgcs,dc=local in LDAP
|
2020-08-31 11:01:56 -04:00
|
|
|
Updating password expiry to 2 days
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
On completion of the script, the command prompt is displayed.
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
|
|
|
|
controller-0: ~$
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
.. rubric:: |result|
|
|
|
|
|
|
2022-05-20 10:32:15 -03:00
|
|
|
The Local |LDAP| account is created. For information about the user login
|
|
|
|
|
process, see :ref:`For StarlingX and Platform OpenStack CLIs from a Local LDAP
|
|
|
|
|
Linux Account Login <establish-keystone-credentials-from-a-linux-account>`.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
2022-05-20 10:32:15 -03:00
|
|
|
For managing composite Local |LDAP| Accounts (i.e. with associated Keystone and
|
|
|
|
|
Kubernetes accounts) for a standalone cloud or a distributed cloud, see
|
|
|
|
|
:ref:`Manage Composite Local LDAP Accounts at Scale
|
|
|
|
|
<manage-local-ldap-39fe3a85a528>`.
|
