Manage users in OpenLDAP

Manage users in OpenLDAP

DriveTrain uses OpenLDAP to provide authentication and metadata for MCP users. This section describes how to create a new user entry in the OpenLDAP service through the Reclass cluster metadata model and grant the user permissions to access Gerrit and Jenkins.

To add a user to an OpenLDAP server:

  1. Log in to the Salt Master node.

  2. Check out the latest version of the Reclass cluster metadata model from the Git repository for your project.

  3. Create a new directory called people in classes/cluster/<CLUSTER_NAME>/cicd/:

    mkdir classes/cluster/<cluster_name>/cicd/people
    

    New user definitions will be added to this directory.

  4. Create a new YAML file in the people directory for a new user. For example, joey.yml:

    touch classes/cluster/<cluster_name>/cicd/people/joey.yml
    
  5. In the newly created file, add the user definition. For example:

    parameters:
      _param:
        openldap_pw_joey: "<ENCRYPTED_PASSWORD>"
      openldap:
        client:
          entry:
            people:
              entry:
                jdoe:
                  attr:
                    uid: joey
                    userPassword: ${_param:openldap_pw_joey}
                    uidNumber: 20600
                    gidNumber: 20001
                    gecos: "Joey Tribbiani"
                    givenName: Joey
                    sn: Tribbiani
                    homeDirectory: /home/joey
                    loginShell: /bin/bash
                    mail: joey@domain.tld
                  classes:
                    - posixAccount
                    - inetOrgPerson
                    - top
                    - shadowAccount
    

    Parameters description:

    • openldap_pw_joey

      The user password for the joey user that can be created using the following example command:

      echo "{CRYPT}$(mkpasswd --rounds 500000 -m sha-512 \
        --salt `head -c 40 /dev/random | base64 | sed -e 's/+/./g' \
        |  cut -b 10-25` 'r00tme')"
      

      Substitute r00tme with a user encrypted password.

    • uid

      The case-sensitive user ID to be used as a login ID for Gerrit, Jenkins, and other integrated services.

    • userPassword: ${_param:openldap_pw_joey}

      The password for the joey user, same as the openldap_pw_joey value.

    • gidNumber

      An integer uniquely identifying a group in an administrative domain, which a user should belong to.

    • uidNumber

      An integer uniquely identifying a user in an administrative domain.

  6. Add the new user definition from joey.yml as a class in classes/cluster/<CLUSTER_NAME>/cicd/control/leader.yml:

    classes:
      ...
      - cluster.<CLUSTER_NAME>.cicd.control
      - cluster.<CLUSTER_NAME>.cicd.people.joey
    

    By defining the cluster level parameters of the joey user and including it in the classes section of cluster/<CLUSTER_NANE>/cicd/control/leader.yml, you import the user data to the cid01 node inventory, although the parameter has not been rendered just yet.

  7. Commit the change.

  8. Update the copy of the model on the Salt Master node:

    sudo git -C /srv/salt/reclass pull
    
  9. Synchronize all Salt resources:

    sudo salt '*' saltutil.sync_all
    
  10. Apply the changes:

    sudo salt 'cid01*' state.apply openldap
    

    Example output for a successfully created user:

            ID: openldap_client_cn=joey,ou=people,dc=deploy-name,dc=local
      Function: ldap.managed
        Result: True
       Comment: Successfully updated LDAP entries
       Started: 18:12:29.788665
      Duration: 58.193 ms
       Changes:
                ----------
                cn=joey,ou=people,dc=deploy-name,dc=local:
                    ----------
                    new:
                        ----------
                        cn:
                            - joey
                        gecos:
                            - Joey Tribbiani
                        gidNumber:
                            - 20001
                        givenName:
                            - Joey
                        homeDirectory:
                            - /home/joey
                        loginShell:
                            - /bin/bash
                        mail:
                            - joey@domain.tld
                        objectClass:
                            - inetOrgPerson
                            - posixAccount
                            - shadowAccount
                            - top
                        sn:
                            - Tribbiani
                        uid:
                            - joey
                        uidNumber:
                            - 20060
                        userPassword:
                            - {CRYPT}$6$rounds=500000$KaJBYb3F8hYMv.UEHvc0...
                    old:
                        None
    
    Summary for cid01.domain.tld
    ------------
    Succeeded: 7 (changed=1)
    Failed:    0
    ------------
    Total states run:     7
    Total run time: 523.672 ms