4.8.1. Managing Users with Lightweight Directory Access Protocol (LDAP)

4.8.1.1. Prepare SIMP ldifs

SIMP natively uses OpenLDAP for user and group management. Actionable copies of the LDAP Data Interchange Format (.ldif) files can be found on the system in the /usr/share/simp/ldifs directory. Copy these files into /root/ldifs and fix their Distinguished Names:

# mkdir /root/ldifs
# cp /usr/share/simp/ldifs/* /root/ldifs
# cd /root/ldifs
# sed -i 's/dc=your,dc=domain/<your actual DN information>/g' *.ldif

Warning

Do not leave any extraneous spaces in LDIF files!

Use :set list in vim to see hidden spaces at the end of lines.

Use the following to strip out inappropriate characters:

# sed -i \
    's/\\(^[[:graph:]]\*:\\)[[:space:]]\*\\ ([[:graph:]]\*\\) \\[[:space:]]\*$/\\1\\2/' \
    file.ldif

Note

Use the [ and ] characters to scroll horizontally when using ELinks.

4.8.1.2. Add a User

Users can be added with or without a password. Follow the instructions in the following sections.

Note

Every user must belong to a unique, primary group, but can optionally belong to one or more, secondary groups.

Warning

This process should not be used to create users or groups for daemon processes unless the user has experience.

4.8.1.2.1. Add a User with a Password

To add a user with a password to the system, along with a unique group for that user:

  1. Login to the LDAP server as root.

  2. Use the slappasswd command to generate a password hash for a user.

  3. Edit the /root/ldifs/add_user_with_password.ldif shown below.

    dn: cn=<username>,ou=Group,dc=your,dc=domain
    objectClass: posixGroup
    objectClass: top
    cn: <username>
    gidNumber: <Unique GID Number>
    description: "<Group Description>"
    
    dn: uid=<username>,ou=People,dc=your,dc=domain
    uid: <username>
    cn: <username>
    givenName: <First Name>
    sn: <Last Name>
    mail: <e-mail address>
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: top
    objectClass: shadowAccount
    objectClass: ldapPublicKey
    shadowMax: 180
    shadowMin: 1
    shadowWarning: 7
    shadowLastChange: 10701
    sshPublicKey: <some SSH public key>
    loginShell: /bin/bash
    uidNumber: <some UID number above 1000>
    gidNumber: <GID number from above>
    homeDirectory: /home/<username>
    userPassword: <slappasswd generated SSHA hash>
    pwdReset: TRUE
    
  4. Type the following, substituting your DN information for dc=your,dc=domain:

    # ldapadd -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
      -f /root/ldifs/add_user_with_password.ldif
    

Ensure that an administrative account is created as soon as the SIMP system has been properly configured. Administrative accounts should belong to the administrators LDAP group (gidNumber 700). By default, Members of this group can directly access a privileged shell via sudo su -.

Note

The pwdReset: TRUE command causes the user to change the assigned password at the next login. This command is useful to pre-generate the password first and change it at a later time.

This command appears to be broken in some versions of nss_ldap. Therefore, to avoid future issues set shadowLastChange to a value around 10000.

Warning

The initial password set for a user must conform to the password policy or the user will not be able to login and change his/her password, even though the password reset has been enabled by pwdReset: TRUE.

4.8.1.2.2. Add a User without a Password

To add a user without a password to the system, along with a unique group for that user

  1. Login to the LDAP server as root.

  2. Edit the /root/ldifs/add_user_no_password.ldif shown below.

    dn: cn=<username>,ou=Group,dc=your,dc=domain
    objectClass: posixGroup
    objectClass: top
    cn: <username>
    gidNumber: <Unique GID Number>
    description: "<Group Description>"
    
    dn: uid=<username>,ou=People,dc=your,dc=domain
    uid: <username>
    cn: <username>
    givenName: <First Name>
    sn: <Last Name>
    mail: <e-mail address>
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: top
    objectClass: shadowAccount
    objectClass: ldapPublicKey
    sshPublicKey: <some SSH public key>
    loginShell: /bin/bash
    uidNumber: <some UID number above 1000>
    gidNumber: <GID number from above>
    homeDirectory: /home/<username>
    
  3. Type the following, substituting your DN information for dc=your,dc=domain:

    # ldapadd -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
      -f /root/ldifs/add_user_no_password.ldif
    

4.8.1.3. Remove a User

To remove a user from the system, along with a unique group for that user:

  1. Login to the LDAP server as root.

  2. Edit the /root/ldifs/del_user.ldif shown below.

    dn: cn=<User UID>,ou=Group,dc=example,dc=domain
    changeType: delete
    
    dn: uid=<User UID>,ou=People,dc=example,dc=domain
    changeType: delete
    
  3. Type the following, substituting your DN information for dc=your,dc=domain:

    # ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
      -f /root/ldifs/del_user.ldif
    

4.8.1.4. Additional Common LDAP Operations

As described below, other useful operations can be executed using the remaining LDIF files.

4.8.1.4.1. Add a Group

SIMP systems are preconfigured with two groups:

  • administrators (700): Group that has ssh and privilege escalation privileges

  • users (100): Group that does not have ssh or privilege escalation privileges

To add another group:

  1. Login to the LDAP server as root.

  2. Edit the /root/ldifs/add_group.ldif shown below.

    dn: cn=<groupname>,ou=Group,dc=your,dc=domain
    objectClass: posixGroup
    objectClass: top
    cn: <groupname>
    gidNumber: <Unique GID number>
    description: "<Some useful group description>"
    
  3. Type the following, substituting your DN information for dc=your,dc=domain:

    # ldapadd -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
      -f /root/ldifs/add_group.ldif
    

4.8.1.4.2. Remove a Group

To remove a group:

  1. Login to the LDAP server as root.

  2. Edit the /root/ldifs/del_group.ldif shown below.

    dn: cn=<Group Name>,ou=Group,dc=your,dc=domain
    changetype: delete
    
  3. Type the following, substituting your DN information for dc=your,dc=domain:

    # ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
      -f /root/ldifs/del_group.ldif
    

4.8.1.4.3. Add Users to a Group

To add users to a group:

  1. Login to the LDAP server as root.

  2. Edit the /root/ldifs/add_to_group.ldif shown below.

    dn: cn=<Group Name>,ou=Group,dc=your,dc=domain
    changetype: modify
    add: memberUid
    memberUid: <UID1>
    memberUid: <UID2>
    ...
    memberUid: <UIDX>
    
  3. Type the following, substituting your DN information for dc=your,dc=domain:

    # ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
      -f /root/ldifs/add_to_group.ldif
    

4.8.1.4.4. Remove Users from a Group

To remove users from a group:

  1. Login to the LDAP server as root.

  2. Edit the /root/ldifs/del_to_group.ldif shown below.

    dn: cn=<Group Name>,ou=Group,dc=your,dc=domain
    changetype: modify
    delete: memberUid
    memberUid: <UID1>
    memberUid: <UID2>
    ...
    memberUid: <UIDX>
    
  3. Type the following, substituting your DN information for dc=your,dc=domain:

    # ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
      -f /root/ldifs/del_from_group.ldif
    

4.8.1.4.5. Update a User’s SSH Public Key

To update an SSH public key:

  1. Login to the LDAP server as root.

  2. Edit the /root/ldifs/mod_sshkey.ldif shown below.

    dn: uid=<User UID>,ou=People,dc=your,dc=domain
    changetype: modify
    replace: sshPublicKey
    sshPublicKey: <User OpenSSH Public Key>
    
  3. Type the following, substituting your DN information for dc=your,dc=domain:

    # ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
      -f /root/ldif/mod_sshkey.ldif
    

4.8.1.4.6. Force a Password Reset

To force a password reset for a user:

  1. Login to the LDAP server as root.

  2. Edit the /root/ldifs/force_password_reset.ldif shown below.

    dn: uid=<username>,ou=People,dc=your,dc=domain
    changetype: modify
    replace: pwdReset
    pwdReset: TRUE
    -
    replace: shadowLastChange
    shadowLastChange: 10101
    
  3. Type the following, substituting your DN information for dc=your,dc=domain:

    # ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
      -f /root/ldifs/force_password_reset.ldif
    

Note

The ldapmodify command is only effective when using the ppolicy overlay. In addition, the user’s shadowLastChange must be changed to a value prior to the expiration date to force a PAM reset.

4.8.1.4.7. Lock an LDAP Account

To lock an LDAP account:

  1. Login to the LDAP server as root.

  2. Edit the /root/ldifs/lock_user.ldif shown below.

    dn: uid=<username>,ou=People,dc=your,dc=domain
    changetype: modify
    replace: pwdAccountLockedTime
    pwdAccountLockedTime: 000001010000Z
    -
    delete: sshPublicKey
    -
    replace: userPassword
    userPassword: !!
    
  3. Type the following, substituting your DN information for dc=your,dc=domain:

    # ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
      -f /root/ldifs/lock_user.ldif
    

Note

The ldapmodify command is only effective when using the ppolicy overlay.

4.8.1.4.8. Unlock an LDAP Account

To unlock an LDAP account:

  1. Login to the LDAP server as root.

  2. Edit the /root/ldifs/unlock_account.ldif shown below.

    dn: uid=<User UID>,ou=People,dc=your,dc=domain
    changetype: modify
    delete: pwdAccountLockedTime
    
  3. Type the following, substituting your DN information for dc=your,dc=domain:

    # ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
      -f /root/ldifs/unlock_account.ldif
    

Note

The ldapmodify command is only effective when using the ppolicy overlay.

4.8.1.5. Troubleshooting Issues

If a user’s password is changed in LDAP or the user changes it shortly after its initial set up, the “Password too young to change” error may appear. In this situation, apply the pwdReset:TRUE option to the user’s account as described in Add a User with a Password.