docs/doc/source/planning/kubernetes/local-and-ldap-linux-user-accounts.rst

Local LDAP Linux User Accounts

You can manage regular Linux (shadow) user accounts on any host in the cluster using standard Linux commands.

• Local Linux user accounts should NOT be configured, only use local accounts for internal system purposes that would usually not be created by an end-user.
• Password changes are not enforced automatically on the first login, and they are not propagated by the system (only for 'sysadmin').
• If the administrator wants to provision additional access to the system, it is better to configure local LDAP Linux accounts.
• accounts are centrally managed; changes made on any host are propagated automatically to all hosts on the cluster.
• user accounts behave as any local user account. They can be added to the sudoers list and can acquire OpenStack administration credentials.
• The initial password must be changed immediately upon the first login.
• Login sessions are logged out automatically after about 15 minutes of inactivity.
• The accounts block following five consecutive unsuccessful login attempts. They unblock automatically after a period of about five minutes.
• All authentication attempts are recorded on the file /var/log/auth.log of the target host.

Note

For security reasons, it is recommended that ONLY admin level users be allowed to to the nodes of the . Non-admin level users should strictly use remote or remote web GUIs.

Operational complexity:

• Passwords aging is automatically configured.
• user accounts (operator, admin) are available by default on newly deployed hosts. For increased security, the admin and operator accounts must be used from the console ports of the hosts; no access is allowed.
• includes a script for creating Linux accounts with built-in Keystone user support. It provides an interactive method for setting up Linux user accounts with access to OpenStack commands. You can assign a limited shell or a bash shell.