====== Manage Users ======

User management is done via LDAP on the ''ldap-01'' jail on bane. We use [[https://git.abi.am/varinka/ldapscript_extension|ldapscript_extension]], a fork of [[https://github.com/martymac/ldapscripts|ldapscripts]] with additional commands like ''ldapaddsshkey'' and ''ldapsetusermail''.

===== Getting Started =====

SSH into bane and enter the LDAP jail:

<code>
ssh bane
jexec ldap-01
</code>

All commands below are run from inside the ''ldap-01'' jail.

===== Adding a New User =====

First, find the next available ID number — ignore ''14999'' (a special account):

<code>
lsldap -u | grep uidNumber | awk -F: '{print $2}' | tr -d ' ' | grep -v 14999 | sort -n | tail -1 | awk '{print $1+1}'
</code>

This prints the next available ID (highest UID + 1). This number will be used for both the UID and GID. Then create the user:

<code>
ldapadduser username newId newId
</code>

''ldapadduser'' takes ''<username> <groupname | gid> [uid]''. We pass the same number for both GID and UID, since each user gets their own primary group with a matching ID.

===== Creating Datasets =====

TO BE WRITTEN

===== Setting Password =====

<code>
ldapsetpasswd username
</code>

This prompts you to enter and confirm the new password.

===== Changing CN (Common Name / First Name) =====

<code>
ldapsetusercn username "Full Name"
</code>

===== Changing SN (Surname) =====

<code>
ldapsetusersn username "Surname"
</code>

===== Setting User Email =====

<code>
ldapsetusermail username user@example.com
</code>

===== Adding SSH Key =====

<code>
ldapaddsshkey username "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... user@host"
</code>

The public key must be quoted as a single argument.

===== Removing SSH Key =====

Removes an SSH public key from a user. If the exact key is not found, nothing is done.

<code>
ldapremovesshkey username "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... user@host"
</code>

===== Removing User Email =====

Removes a mail address from a user. If the exact mail is not found, nothing is done.

<code>
ldapremoveusermail username user@example.com
</code>

===== Adding User to a Group =====

<code>
ldapaddusertogroup username groupname
</code>

===== Getting User Info =====

<code>
ldapfinger username
</code>

===== See Also =====

  * [[infra:ldap|LDAP Configuration]]
  * [[infra:start|Infrastructure]]