Member management in LDAP and FreeIPA

From sshcWiki
(Redirected from Adding members to LDAP)
Jump to navigation Jump to search

Adding members to LDAP

This page is an overview of how we add members into our LDAP database. Currently, this grants access to the wiki, but our identification platform (FreeIPA) is flexible and feature-ful enough to expand to other tasks, including VPN accounts, computer logins, and badge access.

All of the below procedures require special rights on the LDAP database. If you believe you should have these rights and do not, please send an email to tech@sshchicago.org.

Process

  1. Log in to https://auth3.sshchicago.org. If you are on the Hackerspace network, you will get a certificate warning. If you are not, you won't. Disregard the certificate warning, or Add the SSHCHICAGO.ORG Certificate Authority (CA) to your computer.
  2. On the Users screen, click Add.
  3. Type in a username, First Name, Last Name, and a temporary password. We typically use a pattern of first intiial + last name for usernames, though we do permit users to request a new handle. Click Add.Freeipa-add.png
  4. Click on the new user you just created. Freeipa-userlist.png
  5. Set the member's contact information, and click Update.Freeipa-contact.png
  6. Send the user a welcome email!

Encourage the new member to visit https://auth3.sshchicago.org ASAP, where they will be prompted to enter a brand new password.

Resetting a users password

Particularly with administrative accounts, ensure that you are not being socially engineered! Validate that the requestor is who he/she says they are either in person, or through one or more methods (email, SMS, etc.)

  1. Log in to https://auth3.sshchicago.org.
  2. Find the user's account in the account list, click on it.
  3. Under "Account Settings", on the right side, click Reset Password. Freeipa-reset-password-link.png
  4. Type a new password, and supply to the user.Freeipa-reset-password-dialog-box.png

Encourage the new member to visit https://auth.sshchicago.org ASAP, where they will be prompted to enter a brand new password.

Disabling a user

If a user's membership lapses, their account should be Disabled.

  • Go to https://auth3.sshchicago.org
  • Find the user under the Identity > Users tab
  • Click on the user to bring up their management page.
  • In the "--select action--" pulldown, choose "Disable" and click Apply.

Ipa3 user disable.png

In the LDAP schema, this adjusts the nsAccountLock attribute to TRUE.

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Configuration_Command_and_File_Reference/nsAccountLock.html