User Tools

Site Tools


account

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
account [2012/06/10 08:59]
alex
account [2016/10/30 09:01] (current)
alex [Creating an Account]
Line 1: Line 1:
 ====== User Account Handling ====== ====== User Account Handling ======
-As there is more than one server that will make up the Wormnet universe, in addition to a few xDSL joined NASes and systems, we need to roll out some kind of central user management database. ​ Naturally we opted for LDAP. 
  
-The packages required to be installed to do this are: +===== Creating an Account =====
-  * [[http://​packages.debian.org/​slapd|slapd]] +
-  * [[http://​packages.debian.org/​nslcd|nslcd]] +
-    * [[http://​packages.debian.org/​libnss-ldapd|libnss-ldapd]] +
-    * [[http://​packages.debian.org/​libpam-ldapd|libpam-ldapd]] +
-  * [[http://​packages.debian.org/​unscd|unscd]]+
  
-===== User Management ===== 
-==== Modifying an Account ==== 
-Adding SSH keys, etc. can be done without root access. Do:- 
- 
-  # Set $EDITOR if vi isn't your thing 
-  $ ldapvi --discover -D uid=${USER},​ou=Users,​dc=wormnet,​dc=eu -h ldapi:/// uid=${USER} 
- 
-... and add/remove sshPublicKey lines to your heart'​s delight. 
- 
-==== Creating an Account ==== 
-  root@marmot:​~#​ NEW_USER=fred 
-  root@marmot:​~#​ ldapaddgroup $NEW_USER 
-  root@marmot:​~#​ ldapadduser $NEW_USER $NEW_USER 
-  Successfully added user $NEW_USER to LDAP 
-  Successfully set password for user $NEW_USER 
-  ​ 
-  root@marmot:​~#​ # LDAP admin password for cn=Manager,​dc=wormnet,​dc=eu lurks in /​etc/​ldap.secret 
-  root@marmot:​~#​ passwd $NEW_USER 
-  LDAP administrator password: 
-  New password: 
-  Retype new password: 
-  passwd: password updated successfully 
-  ​ 
-  root@marmot:​~#​ ldapvi --discover -D cn=Manager,​dc=wormnet,​dc=eu -h ldapi:/// uid=$NEW_USER 
-  objectClass:​ ldapPublicKey 
-  sshPublicKey:​ ssh-rsa AAAB3...aLOOw== wibble 
-  sshPublicKey:​ ssh-rsa AAAB3...KD0pw== fred@foobar 
-  ​ 
   root@marmot:​~#​ lvcreate -L 256M -n home-$NEW_USER lvm-marmot   root@marmot:​~#​ lvcreate -L 256M -n home-$NEW_USER lvm-marmot
   root@marmot:​~#​ mkfs.ext4 -L home-$NEW_USER /​dev/​lvm-marmot/​home-$NEW_USER   root@marmot:​~#​ mkfs.ext4 -L home-$NEW_USER /​dev/​lvm-marmot/​home-$NEW_USER
-  root@marmot:​~#​ vi /etc/fstab 
-  LABEL=home-fred ​        /​home/​fred ​     auto    relatime,​nodev,​nosuid,​noexec ​            ​0 ​ 2 
   root@marmot:​~#​ mkdir /​home/​$NEW_USER   root@marmot:​~#​ mkdir /​home/​$NEW_USER
 +  root@marmot:​~#​ [edit /etc/fstab to mount new user space]
   root@marmot:​~#​ mount /​home/​$NEW_USER   root@marmot:​~#​ mount /​home/​$NEW_USER
-  root@marmot:​~# ​chown $NEW_USER:​$NEW_USER /​home/​$NEW_USER +  root@marmot:​~# ​useradd -G users,​wormnet-shell -s /​bin/​bash ​$NEW_USER 
-  root@marmot:​~#​ tar cC /​etc/​skel ​--owner=$NEW_USER --group=$NEW_USER ​. | tar xC /​home/​$NEW_USER+  root@marmot:~# passwd ​$NEW_USER 
 +  root@marmot:​~#​ mkdir /​home/​$NEW_USER/.ssh 
 +  root@marmot:​~#​ echo "​ssh-rsa AAAB3...KD0pw== fred@foobar"​ > /​home/​$NEW_USER/​.ssh/​authorized_keys 
 +  root@marmot:​~#​ tar cC /​etc/​skel ​. | tar xC /home/$NEW_USER 
 +  root@marmot:​~#​ chown -R $NEW_USER:$NEW_USER /​home/​$NEW_USER
   root@marmot:​~#​ chmod -R og-r-w-x /​home/​$NEW_USER   root@marmot:​~#​ chmod -R og-r-w-x /​home/​$NEW_USER
-  ​ +==== Restricting to Just sftp/scp ==== 
-  # so the user gets sensible resource limits and other permissions,​ add to 'users' ​(and optionally additionally ​'staff' and 'adm'+If you make the users account use the shell ''​/​usr/​bin/​rssh'​' and edit ''​/​etc/​rssh.conf''​ then you can create accounts that can only upload/​download files rather than have full shell - although you will still need to add them to the 'wormnet-shell' group.
-  root@marmot:​~#​ usermod -G users $NEW_USER +
-   +
-  # to enable to user to actually SSH in and get a shell +
-  root@marmot:​~#​ ldapvi ​--discover -D cn=Manager,​dc=wormnet,​dc=eu -h ldapi:/// cn=wormnet-shell +
-  memberUid: $NEW_USER+
account.1339318742.txt.gz · Last modified: 2012/06/10 08:59 by alex