Add doc to create and manage LDAP Linux groups

Added a new section "Create LDAP Linux Groups" in the Starlingx
Security documentation for creation and management of LDAP Linux
groups (stx 9).

Story: 2010738
Task: 49505

Change-Id: I31abf4ff1e01e0209e95857384b76937dee29967
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
This commit is contained in:
Carmen Rata 2024-02-02 14:37:08 +00:00
parent 90bd0e97cd
commit 979635b9e1
2 changed files with 108 additions and 0 deletions

View File

@ -0,0 +1,107 @@
.. vaq1552681912484
.. _create-ldap-linux-groups-4c94045f8ee0:
==========================
Create LDAP Linux Groups
==========================
|prod| offers |LDAP| commands to create and manage |LDAP| Linux groups as part of the `ldapscripts` library.
.. rubric:: |context|
.. note::
For security reasons, it is recommended that ONLY admin level users be
allowed to |SSH| to the nodes of the |prod|. Non-admin level users should
strictly use remote CLIs or remote web GUIs.
The main commands that manage |LDAP| Linux groups are: ``ldapaddgroup`` ,
``ldapaddusertogroup``, ``ldapdeletegroup``, ``ldapdeleteuserfromgroup``.
To list all the commands in the `ldapscripts` library, the following command
can be used:
.. code-block:: none
sysadmin@controller-0:~$ ls /usr/sbin/ldap*
/usr/sbin/ldapaddgroup /usr/sbin/ldapid
/usr/sbin/ldapaddmachine /usr/sbin/ldapinit
/usr/sbin/ldapaddsudo /usr/sbin/ldapmodifygroup
/usr/sbin/ldapadduser /usr/sbin/ldapmodifymachine
/usr/sbin/ldapaddusertogroup /usr/sbin/ldapmodifysudo
/usr/sbin/ldapdeletegroup /usr/sbin/ldapmodifyuser
/usr/sbin/ldapdeletemachine /usr/sbin/ldaprenamegroup
/usr/sbin/ldapdeletesudo /usr/sbin/ldaprenamemachine
/usr/sbin/ldapdeleteuser /usr/sbin/ldaprenameuser
/usr/sbin/ldapdeleteuserfromgroup /usr/sbin/ldapsetpasswd
/usr/sbin/ldapfinger /usr/sbin/ldapsetprimarygroup
/usr/sbin/ldapgid /usr/sbin/ldapusersetup
The |LDAP| commands usage information can be found from man pages or using
the "--help" option. For example, this is the usage information for creating
or adding a |LDAP| Linux group.
.. code-block:: none
sysadmin@controller-0:~$ ldapaddgroup --help
Usage : /usr/sbin/ldapaddgroup <groupname> [gid]
sysadmin@controller-0:~$ man ldapaddgroup
ldapaddgroup(1) General Commands Manual
ldapaddgroup(1)
NAME
ldapaddgroup - adds a POSIX group entry to LDAP.
SYNOPSIS
ldapaddgroup <groupname> [gid]
OPTIONS
<groupname>
The name of the group to add.
[gid] The gid of the group to add. Automatically computed if
not specified.
|LDAP| Linux group command examples:
Create a group
.. code-block:: none
$ sudo ldapaddgroup group-test
Successfully added group group-test to LDAP
Add a user to the group
.. code-block:: none
$ sudo ldapaddusertogroup user-test group-test
Successfully added user user-test to group cn=group-test,ou=Group,
dc=cgcs,dc=local
Delete a user membership from the group
.. code-block:: none
sysadmin@controller-0:~$ ldapdeleteuserfromgroup --help
Usage : /usr/sbin/ldapdeleteuserfromgroup <username | dn> <groupname | gid>
$ sudo ldapdeleteuserfromgroup user-test group-test
Successfully deleted user user-test from group cn=group-test,ou=Group,
dc=cgcs,dc=local
Delete a group
.. code-block:: none
sysadmin@controller-0:~$ ldapdeletegroup --help
Usage : /usr/sbin/ldapdeletegroup <groupname | gid>
$ sudo ldapdeletegroup group-test
Successfully deleted group cn=group-test,ou=Group,dc=cgcs,dc=local
from LDAP
After the execution of a |LDAP| Linux group command, the command prompt is
displayed.
.. code-block:: none
controller-0: ~$

View File

@ -43,6 +43,7 @@ For more information, refer to the following:
the-sysadmin-account
local-ldap-linux-user-accounts
create-ldap-linux-accounts
create-ldap-linux-groups-4c94045f8ee0
delete-ldap-linux-accounts-7de0782fbafd
remote-access-for-linux-accounts
password-recovery-for-linux-user-accounts