starlingx/docs
Code Issues Proposed changes
Files
063a81c9424143d2df59e6dd6b45e8c1439f67d6
docs/doc/source/security/kubernetes/delete-ldap-linux-accounts-7de0782fbafd.rest
Suzana Fernandes 0bf77eef8e Update User Management Section in the SECURITY guide 
Change-Id: I753b0cd3912d2f9bc53c50906c05e90f2443d3f0
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
2025-10-15 17:30:18 +00:00

77 lines
2.1 KiB
ReStructuredText
Raw Blame History

.. _delete-ldap-linux-accounts-7de0782fbafd:
Delete Local LDAP Linux Accounts
--------------------------------
.. rubric:: |context|
When a |LDAP| user account is created in the |LDAP| server, using
:command:`sudo ldapusersetup` command, a corresponding |LDAP| Linux user is
created on the |prod| by mapping the |LDAP| user attributes to Linux user
attributes. The delete operation of a |LDAP| Linux account involves both the
deletion from the Linux system as well as the deletion of the corresponding
|LDAP| server object.
.. rubric:: |proc|
The following steps describe the procedure to delete |LDAP| Linux accounts.
#. |Optional| Logged in as sysadmin, check that the user exists on |prod| using one of
the commands:
.. code-block:: none
id <username>
.. code-block:: none
getent passwd <username>
#. Delete |LDAP| user.
.. code-block:: none
~(keystone_admin)]$ sudo ldapdeleteuser <username>
This command will remove the |LDAP| user from both the |LDAP| server as
well as from the Linux platform.
#. Check that the |LDAP| user was removed from the local |LDAP| server.
.. code-block:: none
~(keystone_admin)]$ sudo ldapsearch -x -LLL -b dc=cgcs,dc=local
or
.. code-block:: none
~(keystone_admin)]$ sudo ldapfinger <username>
.. note::
SSSD service will sync-up |LDAP| linux users from the |LDAP| server,
and this might take several minutes because is done according to
``ldap_enumeration_refresh_timeout`` time interval setting.
#. Check that the local |LDAP| Linux user was removed from the cloud platform.
.. code-block:: none
~(keystone_admin)]$ id <username>
or
.. code-block:: none
~(keystone_admin)]$ getent passwd <username>
The |LDAP| Linux user home directory still exists after the user has been
removed.
The Linux home directories of the deleted Linux |LDAP| users will be managed
(e.g. cleaned up) by the system administrator. The platform will not remove
them together with the removal of the user.
The system administrator can backup (off system) and/or delete the home
directories.
View Git Blame Copy Permalink