Create LDAP Linux Accounts

StarlingX includes a script for creating LDAP Linux accounts.

About this task

Note

For security reasons, it is recommended that ONLY admin level users be allowed to SSH to the nodes of the StarlingX. Non-admin level users should strictly use remote CLIs or remote web GUIs.

Note

In a Distributed Cloud system configuration, the ldapusersetup command and other LDAP commands that are used to update data on the LDAP server, are supported only on System Controller. These commands are not supported on subclouds. This is because bind with password file is supported only from System Controller. On subclouds, only bind anonymously to the LDAP server is supported, thus, only the commands that read information can be executed.

The ldapusersetup command provides an interactive method for setting up LDAP Linux user accounts.

Centralized management is implemented using two LDAP servers, one running on each controller node. LDAP server synchronization is automatic using the native LDAP content synchronization protocol.

A set of LDAP commands is available to operate on LDAP user accounts. The commands are installed in the directory /usr/local/sbin, and are available to any user account in the sudoers list. Included commands are lsldap, ldapadduser, ldapdeleteuser, and several others starting with the prefix ldap.

Use the command option –help on any command to display a brief help message, as illustrated below.

$ ldapadduser --help
Usage : /usr/local/sbin/ldapadduser <username> <groupname | gid> [uid]
$ ldapdeleteuser --help
Usage : /usr/local/sbin/ldapdeleteuser <username | uid>

Prerequisites

For convenience, identify the user’s Keystone account user name in StarlingX.

Procedure

1. Log in as sysadmin, and start the ldapusersetup script.

   controller-0: ~$ sudo ldapusersetup
   

2. Follow the interactive steps in the script.

   1. Provide a user name.

      Enter username to add to LDAP: teamadmin
      

      Successfully added user teamadmin to LDAP
      Successfully set password for user teamadmin
      Warning : password is reset, user will be asked to change password at login
      

   2. Specify whether the user should have sudo capabilities or not. Enabling sudo privileges allows the LDAP users to execute the following operations:

      • sw_patch to unauthenticated endpoint

      • docker and/or crictl commands to communicate with the respective daemons

      • Utilities show-certs.sh and license-install (recovery only)

      • IP configuration for local network setup

      • Password change of local openldap users

      • Access to restricted files, example: restricted logs

      • Manual reboots

      Add teamadmin to sudoer list? (yes/NO): yes
      Successfully added sudo access for user teamadmin to LDAP
      

      Note

      There is another procedure to add sudo capabilities to a local LDAP linux account. For details, see Add LDAP Users to Linux Groups Using PAM Configuration. It is recommended to use either of the procedures but not both to avoid overlapping.

   3. Specify a secondary user group for this LDAP user. For example, sys_protected group.

      The purpose of having OpenLDAP/WAD users as a part of the sys_protected group on the StarlingX platform is to allow them to execute the StarlingX system operations via source/etc/platform/openrc. The LDAP user in the sys_protected group will be equivalent to the special sysadmin bootstrap user, and will have the following:

      • Keystone admin/admin identity and credentials

      • Kubernetes /etc/kubernetes/admin.conf credentials

      Add teamadmin to secondary user group? (yes/NO): yes
      Secondary group to add user to? [sys_protected]:
      Successfully added user teamadmin to group cn=sys_protected,ou=Group,dc=cgcs,dc=local
      

      Note

      There is another procedure to add sys_protected capabilities to a local LDAP linux account. For details, see Add LDAP Users to Linux Groups Using PAM Configuration. It is recommended to use either of the procedures but not both to avoid overlapping.

   4. Change the password duration.

      Enter days after which user password must be changed [90]:
      

      Successfully modified user entry uid=ldapuser1, ou=People, dc=cgcs, dc=local in LDAP
      Updating password expiry to 90 days
      

   5. Change the warning period before the password expires.

      Enter days before password is to expire that user is warned [2]:
      

      Successfully modified user entry uid=teamadmin,ou=People,dc=cgcs,dc=local in LDAP
      Updating password expiry to 2 days
      

On completion of the script, the command prompt is displayed.

controller-0: ~$

Results

The Local LDAP account is created. For information about the user login process, see For StarlingX and Platform OpenStack CLIs from a Local LDAP Linux Account Login.

For managing composite Local LDAP Accounts (i.e. with associated Keystone and Kubernetes accounts) for a standalone cloud or a distributed cloud, see Manage Composite Local LDAP Accounts at Scale.