Sysadmin/User management: Difference between revisions

← Older edit

@@ Line 1: / Line 1: @@
+== Sunjammer (aka shell.sugarlabs.org) ==
 To carry on these procedures, you need root access on [[Machine/sunjammer]].
-== Adding a new user on [[Machine/sunjammer]] ==
+'''NOTE: You have to become root with 'sudo -i' before using the following commands. Prefixing the command with sudo won't work because it doesn't switch $HOME to /root, which is necessary to make the ldap commands source <code>/root/.ldaprc</code>.'''
+=== Account creation ===
+See [[Sysadmin/Add shell account]].
+=== Editing users and groups ===
+* Run "ldapvi"
+* Edit with your favourite $EDITOR, save and exit
+* Type "y" to accept changes.
+=== Passwords ===
+The users are supposed to update their password by going to
+ https://ldap.sugarlabs.org/passwd
+Password logins are not permitted on any of our machines. The password
+is used by other authentication protocols: HTTP, IMAP, SMTP...
+We currently don't have single-sign-on on most of our web applications,
+but users can use our OpenID provider (id.sugarlabs.org).
+=== Removing shell accounts ===
+Use:
+ system-userdel <user>
+=== Manipulating groups ===
-Ask users for the following information:
+To add groups:
-* Desired username
+ system-groupadd
-* First and last name
-* Forwaring email address (i.e.: where they want email for USER@sugarlabs.org) to be sent to
-* SSH key
-* Optionally, a gpg key
+To remove groups, there's no script. Simply use "ldapvi" with no arguments.
-The user creation procedure is fully automated with a script:
-* As root, use <code>system-useradd</code>
+=== Password reset ===
-* See synopsis
-* Follow prompts and instructions
-A welcome message will be sent to the user automatically.
+When users have forgotten their password, you can hack the password
+information manually with <code>ldapvi</code>. Alternatively, go to the
+[https://ldap.sugarlabs.org/passwd password web form] and type sunjammer's
+root password where of the user's old password would normally go.
-== Editing users and groups ==
+If the user knows how to use GPG, send them the new password encrypted.
+''In any case, ask them to change their password immediately.'''
-* Run "ldapvi"
-* Edit with your favourite $EDITOR, save and exit
+== Accounts on other hosts ==
-* Type "y" to accept changes.
+'''NOTE:''' accounts on [[Machine/lightwave]], [[Machine/jita]] and other high-security machines shouldn't be given out lightly.'''
+=== Account creation ===
+With <code>remote-useradd</code>, you can automate account creation and provisioning on any Sugar Labs host.
+Log into sunjammer, become root and type:
+  remote-useradd <remote host> <username> [<group>...]
+Of course, you'll need sudo access on the remote host. There's no need to invoke <code>remote-auth</code> afterwards.
+=== Account removal ===
+  remote-userdel <remote host> <username>
+=== Installing user keys to the remote host ===
+  remote-auth <remote host> <username> [<remote user>]
+== See also ==
+* [[Sysadmin/Add_shell_account]] -- how to add shell accounts on sunjammer
+* [[Service/Account]] -- Account request procedure (for users)
+* [[Service/shell]] -- Shell account rules and details (for users)
+[[Category:Sysadmin|Sysadmin procedures]]