User management is done via LDAP on the ldap-01 jail on bane. We use ldapscript_extension, a fork of ldapscripts with additional commands like ldapaddsshkey and ldapsetusermail.
SSH into bane and enter the LDAP jail:
ssh bane jexec ldap-01
All commands below are run from inside the ldap-01 jail.
First, find the next available ID number — ignore 14999 (a special account):
lsldap -u | grep uidNumber | awk -F: '{print $2}' | tr -d ' ' | grep -v 14999 | sort -n | tail -1 | awk '{print $1+1}'
This prints the next available ID (highest UID + 1). This number will be used for both the UID and GID. Then create the user:
ldapadduser username newId newId
ldapadduser takes <username> <groupname | gid> [uid]. We pass the same number for both GID and UID, since each user gets their own primary group with a matching ID.
TO BE WRITTEN
ldapsetpasswd username
This prompts you to enter and confirm the new password.
ldapsetusercn username "Full Name"
ldapsetusersn username "Surname"
ldapsetusermail username user@example.com
ldapaddsshkey username "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... user@host"
The public key must be quoted as a single argument.
Removes an SSH public key from a user. If the exact key is not found, nothing is done.
ldapremovesshkey username "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... user@host"
Removes a mail address from a user. If the exact mail is not found, nothing is done.
ldapremoveusermail username user@example.com
ldapaddusertogroup username groupname
ldapfinger username