Employee Set-Up Tasks
NOTE: “username” should be changed to new employees first initial last name, i.e. John Doe = jdoe NOTE: “template-employee” should be changed to a UID for a user performing the same/similar role
LDAP Account Creation
Connect to OpenVPN
ssh to tabla (ssh tabla.rb.symas.net)
Obtain next available uid/gid
ldapsearch -LLL '(uidnumber=*)' uidNumber |grep ^uid |sort
Use existing user as template
sudo ldapsearch -LLL ‘(uid=template-employee)’ > newuser.ldif
Update newuser.ldif file with correct information
vi newuser.ldif uid = newuser # Change name # Remove all PWM attributes # Use pwgen to create new password (requires second terminal window) # Replace uid/gid with next available number from step 4.
Set group using an existing user as a template
ldapsearch -LLL '(&(objectClass=posixGroup)(cn=template-employee))' >> newuser.ldif
Update newuser.ldif with correct group information
gid number with next available number from step 4 (should match number used in step 6)
(gid is redundant but necessary for ldap to function) # name # other user-specific details
9. Add entry to LDAP
sudo ldapadd -f newuser.ldif
10. Add user to necessary groups using employee in same/similar role as template
ldapsearch -LLL '(member=uid=template-employee,ou=People,dc=symas,dc=com)' dn > newuser_groups.ldif
11. Edit file to add newuser to needed groups
After each dn line add the following
changetype: modify add: member member: uid=newuser,ou=People,dc=symas,dc=com
dn: cn=ldapaccounts,ou=groups,dc=symas,dc=com changetype: modify add: member member: uid=newuser,ou=People,dc=symas,dc=com
12. Update groups
sudo ldapmodify -f newuser_groups.ldif
Verify changes with the following command:
ldapsearch -LLL '(member=uid=newuser,ou=People,dc=symas,dc=com)' dn
Connect to OpenVPN
Verify newuser is recognized by Zill
getent passwd newuser
Create home directory for newuser
- Copy skeleton files to new home directory
sudo cp /etc/skel/.?? /home/newuser
- Update ownership of home directory
sudo chown -R newuser:newuser /home/newuser # (Mail sits in user’s home directory)
NOTE: Jabber account is automatically created when LDAP account is created. To view how process works, do the following:
- Connect to OpenVPN ssh crwth.ext.symas.net sudo -s cd /etc/ejabberd less ejabberd.cfg
LDAP Password Reset
1. SSH into tabla 2. Run the following command sudo
ldappasswd -S uid=
Follow the instructions in the following links:
- OpenVPN Provisioning
- OpenVPN Client Setup on Mac
- OpenVPN Client Setup on Ubuntu/Debian
Send the following to the new employee:
Welcome on board! I have set up an account on our company LDAP server, Tabla. (Most physical machines have names of stringed instruments, and VMs have names of percussion.) This account should grant access to most services and machines. Changing your password for LDAP can be done either through LDAP or via the web service at https://symas.com/pwm/ .
Please change this immediately. These will be your main credentials for most services, including SSH to most servers.
Email access is via IMAPS/SSMTP:
IMAP server: imap.symas.net, port 993, Require SSL
SMTP server: smtp.symas.net, port 465, Require SSL
NOTE that this is symas.net, not symas.com
Accountname: mnorman Password: Your normal LDAP password
Account name to use in messages: Maryanne Norman email@example.com
Jabber (aka XMPP):
Username: LDAP UID
Password: same as LDAP
Port: 5222 (regular XMPP, but then select Require Encryption. This should do TLS over 5222) VPN:
For Mac - 1. Install the Shimo OpenVPN client from http://www.macupdate.com/app/mac/22929/shimo 2. Copy the attached ca.crt, client.crt, client.key, and crwth.ovpn files to a location of your choice on the machine 3. Start the Shimo app 4. Import the crwth.ovpn by accessing the Preferences>Profile section, clicking on the “+” and then selecting “Import from: OpenVPN Config” and pointing to the crwth.ovpn file. 5. After adding the config, you should be able to click the ‘connect’ button in the Shimo app and be connected to the Symas VPN. Once that’s done, you should be set.
For Windows -
- Download the OpenVPN client from https://openvpn.net/index.php/open-source/downloads.html and run the installer
- Copy the attached ca.crt, client.crt, client.key and crwth.ovpn to C:Filesfor 64-bit installs, or C:Files (x86)for 32-bit installs
- Launch the OpenVPN client and when asked, point it to the crwth.ovpn file. The rest of the sign-in process should be automatic.
Please let me or Greg Noe (firstname.lastname@example.org) know if you have any trouble connecting.
For SSH connectivity and tunneling: Use zill or crwth.ext.symas.net with your normal LDAP credentials. From either of those you can reach the rb machines.
You can also reach our virtual machines by accessing the vsphere web portal: https://tapan.rb.symas.net:9443/vsphere-client/ or by RDP connected to tapan.rb.symas.net (requires VPN connection be established first).
Username: mnorman Password: P@ssw0rd
We do not have a full-time internal-IT person at the moment, but I can try to help with most things. Feel free to call me as needed at 650-963-7678. I am in central time and generally at my desk around 8 AM.