LDAP Configuration and Management

LDAP Configuration

The LDAP Configuration can be opened from the main menu Components  LDAP  Config. It handles a few settings relevant to the user and group management in qluman-qt.

LDAP configuration

The user ID for LDAP users is limited to a certain range of IDs. By convention user IDs below 1000 (200 under Centos) are reserved for system accounts and daemons. That is usually used as minimum value for the range of user IDs. On the other end there is no clear convention for the maximum. When the LDAP server is shared with others it is convenient to assign a range of IDs to each group sharing the LDAP server to make it easier to see where a certain user (or group) comes from. In such a case the Min and Max User ID can be set in the config so qluman-qt will suggest User IDs within that range when creating a new user.

The next value for User ID is the User ID qluman-qt will suggest the next time a user is created. When a user is created the Next value will be incremented to the next unused ID. When it hits the Max User ID it will reset to Min User ID and start again. The reason to explicitly keep track of this instead of always using the smallest free User ID is to avoid reusing a User ID of a deleted user. When a User ID is reused there is always a risk of there still being files on the system belonging to the old user. The new user would gain access to those files.

The Min, Next and Max settings for Group ID are the same as User ID, except for groups instead of users.

User IDs and Group IDs in the range 65000 - 65535 are always reserved and will be skipped if they fall in the range between Min and Max automatically.

The Default Group and Homedir Prefix are used when creating a new user to prime the respective fields in the input mask. The homedir is constructed from the Homedir Prefix plus the user name for the new user. In most cases these fields don’t have to be changed then.

LDAP User Management

The LDAP User Management can be opened from the main menu Components  LDAP  User Management.

LDAP User Management

It shows a list of all LDAP Users on the left side. On the right side information about the selected user is displayed.

Creating a new user

A new user can be created by first clicking the New button. The right side of the Window then becomes the input mask for the new user to be created and some fields will be pre-set to useful values. Other fields must be filled in before the user can be created. The label before each field will show a green color when the current value is acceptable, a yellow color if it can be completed to an acceptable value and a red color if its unacceptable. The first field that should be completed is the User Name. Changing the User Name will also change the Home Directory field, using the Homedir Prefix plus the User Name as pre-set value.

Creating a new user

Once all fields show green the Create button will also show green and can be clicked to create the new user.

Editing a user

The information for an existing user can be edited by first selecting the user on the left side of the window and then editing the relevant field. Just like when creating a user the label will be color coded to show a valid input. At the end the Save button must be clicked to save the changed information. To undo changes without saving select a different user or close the window.

Adding a user to a group

A user can be added to or removed from a group by opening the context menu in the Groups box. Selecting an entry will add or remove the users.

Reset Password

The password for a users can be reset by selecting the users on the left side and clicking the Reset Password button.

Filter user list Filter user list

When the cluster has many LDAP users it can be hard to find the right user in the user list, especially when one has for example only the first name of the user and not the user name. To simplify finding users the user list can be filtered. Select one of the available filters from the Filter drop down menu and enter a regular expression in the text field next to it. The user list update as you type showing only users that match the regular expression for the selected filter.

Deleting users

Users can also be deleted by selecting them on the left and clicking the Delete button.

LDAP Group Management

The LDAP Group Management can be opened from the main menu Components  LDAP  Group Management.

Managing LDAP groups

It allows creating and removing of groups as well as manage membership in a group for batches of users better than the LDAP User Management can. For this the window is split into 3 parts. On the left is a list of all LDAP groups. In the middle details for the selected group is shown including a list of members. On the right a list of users is shown.

Sorting LDAP groups Filtering LDAP groups Removing LDAP groups

The list of groups can be sorted by either the group ID or the group name in ascending or descending order by clicking on the column name. The list can be filtered by specifying a regular expression for the group name in the Filter text field at the bottom. Groups can also be removed in batches by selecting them in the list and clicking the Remove button.

LDAP group details 1. Add users to group 2. Move users to group 3. Change primary group 4. Set primary group

Selecting a group on the left will display the details for the selected group in the middle. At the top the group name and group ID are shown with the description of the group below it. At the bottom is a list of users that are members of the group. Users that have the group as their primary group are shown in bold. The context menu for the Members box allows modifying the membership of the selected users in 4 ways:

  1. The selected users can be added as members of another group.

  2. The selected users can be moved from this group to another group. This only works for users that don’t have the group as primary group.

  3. The primary group of the selected users can be changed to another group. This only works for users that have the group as primary group.

  4. The primary group of the selected users can be changed to this group. This only works for users that don’t have the group as primary group already.

LDAP user list LDAP user list filter LDAP user list filter LDAP user drag and drop Set primary group for LDAP user

If a group is selected and the details shown in the middle then the right side shows a list of users that are not members of the group. The list supports filtering just like in the LDAP User Management to make finding users simple. Selected users can be added to the group shown in the middle by dragging them into the Members box. This will add the selected users as members of the group. This also works in the reverse. Selecting users in the Members box and dragging them into the All Users box will remove the user from the group, but only if the user doesn’t have the group as primary group.

New LDAP group Create LDAP group Edit LDAP group Delete LDAP group

A new LDAP group can be created by clicking then New button. A new group name must then be entered. The Group ID can be changed from the suggestion and a description for the group can be entered in the box below the name. The labels are color coded to show valid inputs. Green for valid inputs, yellow for partial inputs and red when the group ID is already in use. If all inputs are valid the Create button turns green and clicking it creates the new group.

The Group ID must be within the range set by Min and Max Group ID in the LDAP Config.

The description of the group can be edited by clicking in the box for the description. When the description is changed the Undo and Save buttons become active. Click the Save button to save the edited description.

The shown group can also be deleted by clicking the Delete button.

LDAP User Import

Import Users into LDAP

Qluman-qt allows importing users, passwords and groups from files in the standard Unix passwd, shadow and group file formats. To import users, passwords and groups open the LDAP Import Users Window from the main menu: Components  LDAP  Import Users.

Selecting files for import

Enter passwd location Select passwd file Importing a shadow file Importing groups too

First enter the path to a passwd file or click the Browse button and select one in the file dialog. The passwd file will then be loaded and shown in the Users box at the bottom.

If a file named /shadow/ exists in the same directory as the passwd file then it will be automatically loaded as well to supply the passwords for the imported users. Similar if a file named /group/ exists in the same directory then it will be loaded as well to supply groups and group membership for import. For both a different filename can be entered or a different file selected using the Browse buttons. Or the filename can set empty if passwords or groups are not wanted.

Importing passwords

Importing password choices

If no shadow file is specified then all users are created with a random password. If a shadow file is specified then one of 3 import options for the passwords can be selected:

  1. Reset old hashes

Only passwords in the shadow file using secure encryption methods are imported. Password in older formats such as cram-md5 or even crypt syntax are ignored and new random passwords will be generated when creating the users.

  1. Reset missing

All passwords in the shadow file are used regardless of how secure they are. But users without or with disabled passwords will have a new random password generated when creating the users.

  1. Import verbatim

All entries in the shadow file are used verbatim, secure, insecure, empty or disabled.

Importing Groups

Importing groups too Importing unused groups

If no groups file is specified then the primary group of all users is changed to the default group from the LDAP Config. If a group file is specified then the primary group of users, if it exists in the group file, is preserved. Membership of users in other groups is also imported.

When importing groups the Groups box appears at the bottom of the window showing all the groups from the file. But not every entry will be imported or imported unchanged. A ghosted row signals an entry that will not be imported because none of the users that will be imported is a member. If the group should be imported anyway then check the include unused groups checkmark. A green color on the group name signals that the group already exists and will be used instead of creating a new group. The GID of a group might be changed compared to the group file because either the group already exists or the GID is already in use. In either case the GID is shown as bold.

Accept existing users as members

Per default existing users are ignored when importing. That also means that the membership of the users specified in the group file will be ignored. Checking the Accept existing users as members checkmark will update the membership of existing users when importing a group file.

User selection

Existing users are red Import selected users Passwords for imported users

After selecting a passwd file the Users box will be populated with the entries from the file. Qluman-qt tries to preserve as much as possible from the passwd file but that is not always possible. For example the UID for the user might already be in used. In such a case a new UID is generated. Any field (Password, UID or GID) that is changed for the import will be shown in bold. The homedir for the user is always changed to the Homedir prefix plus user name. If a user already exists the user will be shown in red.

Users can now be selected for import using the customary multi-select and clicking the Import selected button at the bottom will import the selected users (and groups if a group file is included). Per default no users are selected, which is taken as all users. In that case the button at the bottom reads Import all and will import all users from the table (and groups if a group file is included).

After importing the users the passwords for users listed as <random> will be reset to a random password and a table listing the password for each user is shown.

Due to the interface with LDAP creating users and reseting passwords is done one user at a time and might take a while when many users are imported. You watch the users becoming ghosted in the Users box as they are created.