.. xgp1595963622893
.. _local-and-ldap-linux-user-accounts:

==============================
Local LDAP Linux User Accounts
==============================

You can manage regular Linux \(shadow\) user accounts on any host in the
cluster using standard Linux commands.


.. _local-and-ldap-linux-user-accounts-ul-zrv-zwf-mmb:

-   Local Linux user accounts should NOT be configured, only use local |LDAP|
    accounts for internal system purposes that would usually not be created by
    an end-user.

-   Password changes are not enforced automatically on the first login, and
    they are not propagated by the system \(only for 'sysadmin'\).

-   **If the administrator wants to provision additional access to the system, it is better to configure local LDAP Linux accounts.**

-   |LDAP| accounts are centrally managed; changes made on any host are
    propagated automatically to all hosts on the cluster.

-   |LDAP| user accounts behave as any local user account. They can be added
    to the sudoers list and can acquire OpenStack administration credentials.

-   The initial password must be changed immediately upon the first login.

-   Login sessions are logged out automatically after about 15 minutes of
    inactivity.

-   The accounts block following five consecutive unsuccessful login
    attempts. They unblock automatically after a period of about five minutes.

-   All authentication attempts are recorded on the file /var/log/auth.log
    of the target host.


.. note::
    For security reasons, it is recommended that ONLY admin level users be
    allowed to |SSH| to the nodes of the |prod|. Non-admin level users should
    strictly use remote |CLIs| or remote web GUIs.

Operational complexity:

.. _local-and-ldap-linux-user-accounts-ul-bsv-zwf-mmb:

-   Passwords aging is automatically configured.

-   |LDAP| user accounts \(operator, admin\) are available by default on
    newly deployed hosts. For increased security, the admin and operator
    accounts must be used from the console ports of the hosts; no |SSH| access
    is allowed.

-   |prod| includes a script for creating |LDAP| Linux accounts with built-in
    Keystone user support. It provides an interactive method for setting up
    |LDAP| Linux user accounts with access to OpenStack commands. You can
    assign a limited shell or a bash shell.