docs/doc/source/security/kubernetes/create-ldap-linux-accounts.rst

Create LDAP Linux Accounts

includes a script for creating LDAP Linux accounts with built-in Keystone user support.

The ldapusersetup command provides an interactive method for setting up LDAP Linux user accounts with access to StarlingX commands. You can assign a limited shell or a bash shell.

Users have the option of providing Keystone credentials at login, and can establish or change Keystone credentials at any time during a session. Keystone credentials persist for the duration of the session.

Centralized management is implemented using two LDAP servers, one running on each controller node. LDAP server synchronization is automatic using the native LDAP content synchronization protocol.

A set of LDAP commands is available to operate on LDAP user accounts. The commands are installed in the directory /usr/local/sbin, and are available to any user account in the sudoers list. Included commands are lsldap, ldapadduser, ldapdeleteuser, and several others starting with the prefix ldap.

Use the command option --help on any command to display a brief help message, as illustrated below.

$ ldapadduser --help
Usage : /usr/local/sbin/ldapadduser <username> <groupname | gid> [uid]
$ ldapdeleteuser --help
Usage : /usr/local/sbin/ldapdeleteuser <username | uid>

For convenience, identify the user's Keystone account user name in .

Note

There is an M:M relationship between a Keystone user account and a user Linux account. That is, the same Keystone user account may be used across multiple Linux accounts. For example, the Keystone user tenant user may be used by several Linux users, such as Kam, Greg, and Jim. Conversely, contingent on the policy of the organization, 3 Keystone cloud users (Kam, Greg, and Jim), may be used by a single Linux account: operator. That is, Kam logs into with the operator account, and sources Kam's Keystone user account. Jim does the same and logs into with the operator account, but sources Jim's Keystone user account.

1. Log in as sysadmin, and start the ldapusersetup script.

   controller-0: ~$ sudo ldapusersetup

2. Follow the interactive steps in the script.

   1. Provide a user name.

      Enter username to add to LDAP:

      For convenience, use the same name as the one assigned for the user's Keystone account. (This example uses user1). When the LDAP user logs in and establishes Keystone credentials, the LDAP user name is offered as the default Keystone user name.

      Successfully added user user1 to LDAP
      Successfully set password for user user1

   2. Specify whether to provide a limited shell or a bash shell.

      Select Login Shell option # [2]:
      1) Bash
      2) Lshell

      To provide a limited shell with access to the StarlingX CLI only, specify the Lshell option.

      If you select Bash, you are offered the option to add the user to the sudoer list:

      Add user1 to sudoer list? (yes/No):

   3. Specify a secondary user group for this LDAP user.

      Add user1 to secondary user group (yes/No):

   4. Change the password duration.

      Enter days after which user password must be changed [90]:

      Successfully modified user entry uid=ldapuser1, ou=People, dc=cgcs, dc=local in LDAP
      Updating password expiry to 90 days

   5. Change the warning period before the password expires.

      Enter days before password is to expire that user is warned [2]:

      Updating password expiry to 2 days

On completion of the script, the command prompt is displayed.

controller-0: ~$

The LDAP account is created. For information about the user login process, see Establish Keystone Credentials from a Linux Account <establish-keystone-credentials-from-a-linux-account>.