Difference between revisions of "Sysadmin/User management"

From Sugar Labs
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
== Sunjammer (aka shell.sugarlabs.org) ==
 +
 
To carry on these procedures, you need root access on [[Machine/sunjammer]].
 
To carry on these procedures, you need root access on [[Machine/sunjammer]].
  
== Adding a new user on [[Machine/sunjammer]] (aka shell.sugarlabs.org) ==
+
'''NOTE: You have to become root with 'sudo -i' before using the following commands. Prefixing the command with sudo won't work because it doesn't switch $HOME to /root, which is necessary to make the ldap commands source <code>/root/.ldaprc</code>.'''
 +
 
 +
=== Account creation ===
  
 
See [[Sysadmin/Add shell account]].
 
See [[Sysadmin/Add shell account]].
  
== Editing users and groups ==
+
=== Editing users and groups ===
  
 
* Run "ldapvi"
 
* Run "ldapvi"
Line 11: Line 15:
 
* Type "y" to accept changes.
 
* Type "y" to accept changes.
  
== Passwords ==
+
=== Passwords ===
  
 
The users are supposed to update their password by going to
 
The users are supposed to update their password by going to
Line 24: Line 28:
  
  
== Removing shell accounts ==
+
=== Removing shell accounts ===
  
 
Use:
 
Use:
Line 30: Line 34:
 
  system-userdel <user>
 
  system-userdel <user>
  
== Groups ==
+
=== Manipulating groups ===
  
 
To add groups:
 
To add groups:
Line 39: Line 43:
  
  
== Password reset ==
+
=== Password reset ===
  
If the users have forgotten their password, you can hack the password
+
When users have forgotten their password, you can hack the password
information manually with ldapvi. Alternatively, go to the password
+
information manually with <code>ldapvi</code>. Alternatively, go to the
web form and type sunjammer's root password in place of the user's
+
[https://ldap.sugarlabs.org/passwd password web form] and type sunjammer's
old password.
+
root password where of the user's old password would normally go.
 +
 
 +
If the user knows how to use GPG, send them the new password encrypted.
 +
''In any case, ask them to change their password immediately.'''
  
If the user knows how to use GPG, send them the new password
 
encrypted. In any case, ask them to change it immediately.
 
  
 
== Accounts on other hosts ==
 
== Accounts on other hosts ==
Line 73: Line 78:
 
== See also ==
 
== See also ==
 
* [[Sysadmin/Add_shell_account]] -- how to add shell accounts on sunjammer
 
* [[Sysadmin/Add_shell_account]] -- how to add shell accounts on sunjammer
 +
* [[Service/Account]] -- Account request procedure (for users)
 +
* [[Service/shell]] -- Shell account rules and details (for users)
 +
 +
[[Category:Sysadmin|Sysadmin procedures]]

Latest revision as of 14:01, 9 December 2011

Sunjammer (aka shell.sugarlabs.org)

To carry on these procedures, you need root access on Machine/sunjammer.

NOTE: You have to become root with 'sudo -i' before using the following commands. Prefixing the command with sudo won't work because it doesn't switch $HOME to /root, which is necessary to make the ldap commands source /root/.ldaprc.

Account creation

See Sysadmin/Add shell account.

Editing users and groups

  • Run "ldapvi"
  • Edit with your favourite $EDITOR, save and exit
  • Type "y" to accept changes.

Passwords

The users are supposed to update their password by going to

https://ldap.sugarlabs.org/passwd

Password logins are not permitted on any of our machines. The password is used by other authentication protocols: HTTP, IMAP, SMTP...

We currently don't have single-sign-on on most of our web applications, but users can use our OpenID provider (id.sugarlabs.org).


Removing shell accounts

Use:

system-userdel <user>

Manipulating groups

To add groups:

system-groupadd

To remove groups, there's no script. Simply use "ldapvi" with no arguments.


Password reset

When users have forgotten their password, you can hack the password information manually with ldapvi. Alternatively, go to the password web form and type sunjammer's root password where of the user's old password would normally go.

If the user knows how to use GPG, send them the new password encrypted. In any case, ask them to change their password immediately.'


Accounts on other hosts

NOTE: accounts on Machine/lightwave, Machine/jita and other high-security machines shouldn't be given out lightly.

Account creation

With remote-useradd, you can automate account creation and provisioning on any Sugar Labs host. Log into sunjammer, become root and type:

 remote-useradd <remote host> <username> [<group>...]

Of course, you'll need sudo access on the remote host. There's no need to invoke remote-auth afterwards.

Account removal

 remote-userdel <remote host> <username>

Installing user keys to the remote host

 remote-auth <remote host> <username> [<remote user>]


See also