Difference between revisions of "Member management in LDAP and FreeIPA"
Jump to navigation
Jump to search
(Password resets! Whee!) |
m (Bot: Cosmetic changes) |
||
| (7 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
| − | = Adding members to LDAP = | + | __TOC__ |
| + | |||
| + | = Adding members to LDAP = | ||
This page is an overview of how we add members into our LDAP database. Currently, this grants access to the wiki, but our identification platform (FreeIPA) is flexible and feature-ful enough to expand to other tasks, including VPN accounts, computer logins, and badge access. | This page is an overview of how we add members into our LDAP database. Currently, this grants access to the wiki, but our identification platform (FreeIPA) is flexible and feature-ful enough to expand to other tasks, including VPN accounts, computer logins, and badge access. | ||
| Line 7: | Line 9: | ||
== Process == | == Process == | ||
| − | # Log in to https:// | + | # Log in to https://auth3.sshchicago.org. If you are on the Hackerspace network, you will get a certificate warning. If you are not, you won't. Disregard the certificate warning, or [[SSHCHICAGO.ORG Certificate Authority (CA)|Add the SSHCHICAGO.ORG Certificate Authority (CA)]] to your computer. |
| − | # On the Users screen, click Add. | + | # On the Users screen, click Add. |
| − | # Type in a username, First Name, Last Name, and a temporary password. We typically use a pattern of first intiial + last name for usernames, though we do permit users to request a new handle. Click Add. | + | # Type in a username, First Name, Last Name, and a temporary password. We typically use a pattern of first intiial + last name for usernames, though we do permit users to request a new handle. Click Add.[[File:Freeipa-add.png]] <br/> |
| − | # Click on the new user you just created. | + | # Click on the new user you just created. [[File:Freeipa-userlist.png]] |
| − | # Set the member's contact information, and click Update. | + | # Set the member's contact information, and click Update.[[File:Freeipa-contact.png]] |
# Send the user a welcome email! | # Send the user a welcome email! | ||
| − | Encourage the new member to visit https:// | + | Encourage the new member to visit https://auth3.sshchicago.org ASAP, where they will be prompted to enter a brand new password. |
= Resetting a users password = | = Resetting a users password = | ||
| Line 20: | Line 22: | ||
Particularly with administrative accounts, ensure that you are not being socially engineered! Validate that the requestor is who he/she says they are either in person, or through one or more methods (email, SMS, etc.) | Particularly with administrative accounts, ensure that you are not being socially engineered! Validate that the requestor is who he/she says they are either in person, or through one or more methods (email, SMS, etc.) | ||
| − | # Log in to https:// | + | # Log in to https://auth3.sshchicago.org. |
| − | # Find the user's account in the account list, click on it. | + | # Find the user's account in the account list, click on it. |
| − | # Under "Account Settings", on the right side, click Reset Password. | + | # Under "Account Settings", on the right side, click Reset Password. [[File:Freeipa-reset-password-link.png]] |
| − | # Type a new password, and supply to the user. | + | # Type a new password, and supply to the user.[[File:Freeipa-reset-password-dialog-box.png]] |
Encourage the new member to visit https://auth.sshchicago.org ASAP, where they will be prompted to enter a brand new password. | Encourage the new member to visit https://auth.sshchicago.org ASAP, where they will be prompted to enter a brand new password. | ||
| + | |||
| + | = Disabling a user = | ||
| + | If a user's membership lapses, their account should be Disabled. | ||
| + | |||
| + | * Go to https://auth3.sshchicago.org | ||
| + | * Find the user under the Identity > Users tab | ||
| + | * Click on the user to bring up their management page. | ||
| + | * In the "--select action--" pulldown, choose "Disable" and click Apply. | ||
| + | |||
| + | [[File:Ipa3 user disable.png]] | ||
| + | |||
| + | In the LDAP schema, this adjusts the <code>nsAccountLock</code> attribute to <code>TRUE</code>. | ||
| + | |||
| + | https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Configuration_Command_and_File_Reference/nsAccountLock.html | ||
| + | |||
| + | [[Category:System Administration]] | ||
Latest revision as of 22:20, 27 February 2017
Adding members to LDAP
This page is an overview of how we add members into our LDAP database. Currently, this grants access to the wiki, but our identification platform (FreeIPA) is flexible and feature-ful enough to expand to other tasks, including VPN accounts, computer logins, and badge access.
All of the below procedures require special rights on the LDAP database. If you believe you should have these rights and do not, please send an email to tech@sshchicago.org.
Process
- Log in to https://auth3.sshchicago.org. If you are on the Hackerspace network, you will get a certificate warning. If you are not, you won't. Disregard the certificate warning, or Add the SSHCHICAGO.ORG Certificate Authority (CA) to your computer.
- On the Users screen, click Add.
- Type in a username, First Name, Last Name, and a temporary password. We typically use a pattern of first intiial + last name for usernames, though we do permit users to request a new handle. Click Add.
- Click on the new user you just created.
- Set the member's contact information, and click Update.
- Send the user a welcome email!
Encourage the new member to visit https://auth3.sshchicago.org ASAP, where they will be prompted to enter a brand new password.
Resetting a users password
Particularly with administrative accounts, ensure that you are not being socially engineered! Validate that the requestor is who he/she says they are either in person, or through one or more methods (email, SMS, etc.)
- Log in to https://auth3.sshchicago.org.
- Find the user's account in the account list, click on it.
- Under "Account Settings", on the right side, click Reset Password.
- Type a new password, and supply to the user.
Encourage the new member to visit https://auth.sshchicago.org ASAP, where they will be prompted to enter a brand new password.
Disabling a user
If a user's membership lapses, their account should be Disabled.
- Go to https://auth3.sshchicago.org
- Find the user under the Identity > Users tab
- Click on the user to bring up their management page.
- In the "--select action--" pulldown, choose "Disable" and click Apply.
In the LDAP schema, this adjusts the nsAccountLock attribute to TRUE.
