User management is done via LDAP on the ldap-01 jail on bane. We use ldapscript_extension, a fork of ldapscripts with additional commands like ldapaddsshkey and ldapsetusermail.

SSH into bane and enter the LDAP jail:

ssh bane
jexec ldap-01

All commands below are run from inside the ldap-01 jail.

First, find the next available ID number — ignore 14999 (a special account):

lsldap -u | grep uidNumber | awk -F: '{print $2}' | tr -d ' ' | grep -v 14999 | sort -n | tail -1 | awk '{print $1+1}'

This prints the next available ID (highest UID + 1). This number will be used for both the UID and GID. Then create the user:

ldapadduser username newId newId

ldapadduser takes <username> <groupname | gid> [uid]. We pass the same number for both GID and UID, since each user gets their own primary group with a matching ID.

TO BE WRITTEN

ldapsetpasswd username

This prompts you to enter and confirm the new password.

ldapsetusercn username "Full Name"

ldapsetusersn username "Surname"

ldapsetusermail username user@example.com

ldapaddsshkey username "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... user@host"

The public key must be quoted as a single argument.

Removes an SSH public key from a user. If the exact key is not found, nothing is done.

ldapremovesshkey username "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... user@host"

Removes a mail address from a user. If the exact mail is not found, nothing is done.

ldapremoveusermail username user@example.com

ldapaddusertogroup username groupname

ldapfinger username

• LDAP Configuration
• Infrastructure