f125a8b892
This change addresses a long-standing issue in rST documentation imported from XML.
That import process added backslash escapes in front of various characters. The three
most common being '(', ')', and '_'.
These instances are removed.
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e
65 lines
2.3 KiB
ReStructuredText
65 lines
2.3 KiB
ReStructuredText
|
|
.. xgp1595963622893
|
|
.. _local-and-ldap-linux-user-accounts:
|
|
|
|
==============================
|
|
Local LDAP Linux User Accounts
|
|
==============================
|
|
|
|
You can manage regular Linux (shadow) user accounts on any host in the
|
|
cluster using standard Linux commands.
|
|
|
|
|
|
.. _local-and-ldap-linux-user-accounts-ul-zrv-zwf-mmb:
|
|
|
|
- Local Linux user accounts should NOT be configured, only use local |LDAP|
|
|
accounts for internal system purposes that would usually not be created by
|
|
an end-user.
|
|
|
|
- Password changes are not enforced automatically on the first login, and
|
|
they are not propagated by the system (only for 'sysadmin').
|
|
|
|
- **If the administrator wants to provision additional access to the system,
|
|
it is better to configure local |LDAP| Linux accounts.**
|
|
|
|
- |LDAP| accounts are centrally managed; changes made on any host are
|
|
propagated automatically to all hosts on the cluster.
|
|
|
|
- |LDAP| user accounts behave as any local user account. They can be added
|
|
to the sudoers list and can acquire OpenStack administration credentials.
|
|
|
|
- The initial password must be changed immediately upon the first login.
|
|
|
|
- Login sessions are logged out automatically after about 15 minutes of
|
|
inactivity.
|
|
|
|
- The accounts block following five consecutive unsuccessful login
|
|
attempts. They unblock automatically after a period of about five minutes.
|
|
|
|
- All authentication attempts are recorded on the file ``/var/log/auth.log``
|
|
of the target host.
|
|
|
|
|
|
.. note::
|
|
For security reasons, it is recommended that ONLY admin level users be
|
|
allowed to |SSH| to the nodes of the |prod|. Non-admin level users should
|
|
strictly use remote |CLIs| or remote web GUIs.
|
|
|
|
Operational complexity:
|
|
|
|
.. _local-and-ldap-linux-user-accounts-ul-bsv-zwf-mmb:
|
|
|
|
- Passwords aging is automatically configured.
|
|
|
|
- |LDAP| user accounts (operator, admin) are available by default on
|
|
newly deployed hosts. For increased security, the admin and operator
|
|
accounts must be used from the console ports of the hosts; no |SSH| access
|
|
is allowed.
|
|
|
|
- |prod| includes a script for creating |LDAP| Linux accounts with built-in
|
|
Keystone user support. It provides an interactive method for setting up
|
|
|LDAP| Linux user accounts with access to OpenStack commands. You can
|
|
assign a limited shell or a bash shell.
|
|
|
|
|