979635b9e1
Added a new section "Create LDAP Linux Groups" in the Starlingx Security documentation for creation and management of LDAP Linux groups (stx 9). Story: 2010738 Task: 49505 Change-Id: I31abf4ff1e01e0209e95857384b76937dee29967 Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
108 lines
3.3 KiB
ReStructuredText
108 lines
3.3 KiB
ReStructuredText
|
|
.. vaq1552681912484
|
|
.. _create-ldap-linux-groups-4c94045f8ee0:
|
|
|
|
==========================
|
|
Create LDAP Linux Groups
|
|
==========================
|
|
|
|
|prod| offers |LDAP| commands to create and manage |LDAP| Linux groups as part of the `ldapscripts` library.
|
|
|
|
.. rubric:: |context|
|
|
|
|
.. note::
|
|
For security reasons, it is recommended that ONLY admin level users be
|
|
allowed to |SSH| to the nodes of the |prod|. Non-admin level users should
|
|
strictly use remote CLIs or remote web GUIs.
|
|
|
|
The main commands that manage |LDAP| Linux groups are: ``ldapaddgroup`` ,
|
|
``ldapaddusertogroup``, ``ldapdeletegroup``, ``ldapdeleteuserfromgroup``.
|
|
|
|
To list all the commands in the `ldapscripts` library, the following command
|
|
can be used:
|
|
|
|
.. code-block:: none
|
|
|
|
sysadmin@controller-0:~$ ls /usr/sbin/ldap*
|
|
/usr/sbin/ldapaddgroup /usr/sbin/ldapid
|
|
/usr/sbin/ldapaddmachine /usr/sbin/ldapinit
|
|
/usr/sbin/ldapaddsudo /usr/sbin/ldapmodifygroup
|
|
/usr/sbin/ldapadduser /usr/sbin/ldapmodifymachine
|
|
/usr/sbin/ldapaddusertogroup /usr/sbin/ldapmodifysudo
|
|
/usr/sbin/ldapdeletegroup /usr/sbin/ldapmodifyuser
|
|
/usr/sbin/ldapdeletemachine /usr/sbin/ldaprenamegroup
|
|
/usr/sbin/ldapdeletesudo /usr/sbin/ldaprenamemachine
|
|
/usr/sbin/ldapdeleteuser /usr/sbin/ldaprenameuser
|
|
/usr/sbin/ldapdeleteuserfromgroup /usr/sbin/ldapsetpasswd
|
|
/usr/sbin/ldapfinger /usr/sbin/ldapsetprimarygroup
|
|
/usr/sbin/ldapgid /usr/sbin/ldapusersetup
|
|
|
|
The |LDAP| commands usage information can be found from man pages or using
|
|
the "--help" option. For example, this is the usage information for creating
|
|
or adding a |LDAP| Linux group.
|
|
|
|
.. code-block:: none
|
|
|
|
sysadmin@controller-0:~$ ldapaddgroup --help
|
|
Usage : /usr/sbin/ldapaddgroup <groupname> [gid]
|
|
|
|
sysadmin@controller-0:~$ man ldapaddgroup
|
|
ldapaddgroup(1) General Commands Manual
|
|
ldapaddgroup(1)
|
|
NAME
|
|
ldapaddgroup - adds a POSIX group entry to LDAP.
|
|
|
|
SYNOPSIS
|
|
ldapaddgroup <groupname> [gid]
|
|
|
|
OPTIONS
|
|
<groupname>
|
|
The name of the group to add.
|
|
[gid] The gid of the group to add. Automatically computed if
|
|
not specified.
|
|
|
|
|LDAP| Linux group command examples:
|
|
|
|
Create a group
|
|
|
|
.. code-block:: none
|
|
|
|
$ sudo ldapaddgroup group-test
|
|
Successfully added group group-test to LDAP
|
|
|
|
Add a user to the group
|
|
|
|
.. code-block:: none
|
|
|
|
$ sudo ldapaddusertogroup user-test group-test
|
|
Successfully added user user-test to group cn=group-test,ou=Group,
|
|
dc=cgcs,dc=local
|
|
|
|
Delete a user membership from the group
|
|
|
|
.. code-block:: none
|
|
|
|
sysadmin@controller-0:~$ ldapdeleteuserfromgroup --help
|
|
Usage : /usr/sbin/ldapdeleteuserfromgroup <username | dn> <groupname | gid>
|
|
$ sudo ldapdeleteuserfromgroup user-test group-test
|
|
Successfully deleted user user-test from group cn=group-test,ou=Group,
|
|
dc=cgcs,dc=local
|
|
|
|
Delete a group
|
|
|
|
.. code-block:: none
|
|
|
|
sysadmin@controller-0:~$ ldapdeletegroup --help
|
|
Usage : /usr/sbin/ldapdeletegroup <groupname | gid>
|
|
$ sudo ldapdeletegroup group-test
|
|
Successfully deleted group cn=group-test,ou=Group,dc=cgcs,dc=local
|
|
from LDAP
|
|
|
|
After the execution of a |LDAP| Linux group command, the command prompt is
|
|
displayed.
|
|
|
|
.. code-block:: none
|
|
|
|
controller-0: ~$
|
|
|