New Users and their ACLs

This page is about adding a new user manually and providing it with some accesses, e.g. for authentication of a service.

Add new user

Run ldapvi -D 'cn=admin,dc=fsfe,dc=org' -b 'dc=fsfe,dc=org' to see the whole user database.

Now, you can copy a user (e.g. bbbauth) and add it at the very bottom. Change the new user's name accordingly.

For the password, run slappasswd and enter the desired password twice. It will output the hash that you then should insert after userPassword:.

As a last step, replace the incremental number in front of the first line by add. This will make sure that ldap adds the new record correctly.

A final entry could look like the following:

add uid=newuser,ou=fellowship,dc=fsfe,dc=org
uid: newuser
objectClass: top
objectClass: inetOrgPerson
sn: newuser
cn: newuser
userPassword: {SSHA}abcdefghi123456789

Now, close the editor and confirm the addition of the new entry.

Give new user permissions

To see the current permissions (and other info), run the command ldapsearch  -Y EXTERNAL -H ldapi:/// -b cn=config 'olcDatabase={1}bdb'. Make sure that you look at the actual LDAP, not the test database.

The file /root/access.ldif should correspond to the current permissions. You can just edit this file and add the lines accordingly for the new user. Make sure that the account does not have permissions it does not need (e.g. reading sensitive attributes).

Now, it's usually time to make a snapshot of the server via the Proxmox interface!

Then, run ldapmodify -Y EXTERNAL -H ldapi:/// -f access.ldif to import the settings. It's best to revisit the new access permissions and see whether the are looking fine.

TechDocs/TechnicalProcesses/LDAP/UserAccess (last edited 2020-09-18 12:54:18 by max.mehl)