 296d24befc
			
		
	
	296d24befc
	
	
	
		
			
			Change-Id: I19ca5684668aa1664e0cb7c78c5c8197ee69ac8b Signed-off-by: Ngairangbam Mili <ngairangbam.mili@windriver.com>
		
			
				
	
	
	
		
			5.9 KiB
		
	
	
	
	
	
	
	
			
		
		
	
	Create LDAP Linux Accounts
includes a script for creating Linux accounts.
Note
For security reasons, it is recommended that ONLY admin level users be allowed to to the nodes of the . Non-admin level users should strictly use remote CLIs or remote web GUIs.
Note
In a system configuration, the ldapusersetup command and other commands that are
used to update data on the server, are supported only on System
Controller. These commands are not supported on subclouds. This is
because bind with password file is supported only from System
Controller. On subclouds, only bind anonymously to the server is
supported, thus, only the commands that read information can be
executed.
The ldapusersetup command provides an interactive
method for setting up Linux user accounts.
Centralized management is implemented using two servers, one running on each controller node. server synchronization is automatic using the native content synchronization protocol.
A set of commands is available to operate on user accounts. The
commands are installed in the directory /usr/local/sbin, and are
available to any user account in the sudoers list. Included commands are
lsldap, ldapadduser, ldapdeleteuser, and
several others starting with the prefix ldap.
Use the command option --help on any command to display a brief help message, as illustrated below.
$ ldapadduser --help
Usage : /usr/local/sbin/ldapadduser <username> <groupname | gid> [uid]
$ ldapdeleteuser --help
Usage : /usr/local/sbin/ldapdeleteuser <username | uid>
For convenience, identify the user's Keystone account user name in .
- Log in as sysadmin, and start the - ldapusersetupscript.- controller-0: ~$ sudo ldapusersetup
- Follow the interactive steps in the script. - Provide a user name. - Enter username to add to LDAP: teamadmin- Successfully added user teamadmin to LDAP Successfully set password for user teamadmin Warning : password is reset, user will be asked to change password at login
- Specify whether the user should have sudo capabilities or not. Enabling - sudoprivileges allows the LDAP users to execute the following operations:- sw_patchto unauthenticated endpoint
- dockerand/or- crictlcommands to communicate with the respective daemons
- Utilities show-certs.shandlicense-install(recovery only)
- IP configuration for local network setup
- Password change of local openldap users
- Access to restricted files, example: restricted logs
- Manual reboots
 - Add teamadmin to sudoer list? (yes/NO): yes Successfully added sudo access for user teamadmin to LDAP- Note - There is another procedure to add - sudocapabilities to a local linux account. For details, see- add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1. It is recommended to use either of the procedures but not both to avoid overlapping.
- Specify a secondary user group for this user. For example, - sys_protected group.- The purpose of having OpenLDAP/WAD users as a part of the - sys_protectedgroup on the platform is to allow them to execute the system operations via- source/etc/platform/openrc. The LDAP user in the- sys_protectedgroup will be equivalent to the special- sysadminbootstrap user, and will have the following:- Keystone admin/admin identity and credentials
- Kubernetes /etc/kubernetes/admin.confcredentials
 - Add teamadmin to secondary user group? (yes/NO): yes Secondary group to add user to? [sys_protected]: Successfully added user teamadmin to group cn=sys_protected,ou=Group,dc=cgcs,dc=local- Note - There is another procedure to add - sys_protectedcapabilities to a local linux account. For details, see- add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1. It is recommended to use either of the procedures but not both to avoid overlapping.
- Change the password duration. - Enter days after which user password must be changed [90]:- Successfully modified user entry uid=ldapuser1, ou=People, dc=cgcs, dc=local in LDAP Updating password expiry to 90 days
- Change the warning period before the password expires. - Enter days before password is to expire that user is warned [2]:- Successfully modified user entry uid=teamadmin,ou=People,dc=cgcs,dc=local in LDAP Updating password expiry to 2 days
 
On completion of the script, the command prompt is displayed.
controller-0: ~$
The Local account is created. For information about the user login
process, see For StarlingX and Platform OpenStack CLIs from a Local LDAP
Linux Account Login <establish-keystone-credentials-from-a-linux-account>.
For managing composite Local Accounts (i.e. with associated Keystone
and Kubernetes accounts) for a standalone cloud or a distributed cloud,
see Manage Composite Local LDAP Accounts at Scale
<manage-local-ldap-39fe3a85a528>.