Symas OpenLDAP Knowledge Base

Employee Set-Up Tasks

NOTE: “username” should be changed to new employees first initial last name, i.e. John Doe = jdoe NOTE: “template-employee” should be changed to a UID for a user performing the same/similar role

LDAP Account Creation

  1. Connect to OpenVPN

  2. ssh to tabla (ssh tabla.rb.symas.net)

  3. Enter password

  4. Obtain next available uid/gid

     ldapsearch -LLL '(uidnumber=*)' uidNumber |grep ^uid |sort

  5. Use existing user as template

          sudo ldapsearch -LLL ‘(uid=template-employee)’ > newuser.ldif

  1. Update newuser.ldif file with correct information

     vi newuser.ldif 
 uid = newuser 
 # Change name 
 # Remove all PWM attributes 
 # Use pwgen to create new password (requires second terminal window) 
 # Replace uid/gid with next available number from step 4.

  2. Set group using an existing user as a template

     ldapsearch -LLL '(&(objectClass=posixGroup)(cn=template-employee))' >> newuser.ldif

  3. Update newuser.ldif with correct group information

     vi newuser.ldif

gid number with next available number from step 4 (should match number used in step 6)

(gid is redundant but necessary for ldap to function) # name # other user-specific details

9. Add entry to LDAP

    sudo ldapadd -f newuser.ldif

10. Add user to necessary groups using employee in same/similar role as template

    ldapsearch -LLL '(member=uid=template-employee,ou=People,dc=symas,dc=com)' dn > 
    newuser_groups.ldif

11. Edit file to add newuser to needed groups

After each dn line add the following

    changetype: modify 
      add: member 
      member: uid=newuser,ou=People,dc=symas,dc=com

Example:

    dn: cn=ldapaccounts,ou=groups,dc=symas,dc=com 
    changetype: modify 
    add: member 
    member: uid=newuser,ou=People,dc=symas,dc=com

Save file

12. Update groups

    sudo ldapmodify -f newuser_groups.ldif

Verify changes with the following command:

    ldapsearch -LLL '(member=uid=newuser,ou=People,dc=symas,dc=com)' dn

Email Setup

  1. Connect to OpenVPN

  2. ssh zill.rb.symas.net

  3. Enter password

  4. Verify newuser is recognized by Zill

     getent passwd newuser

  5. Create home directory for newuser

        mkdir /home/newuser

  1. Copy skeleton files to new home directory

        sudo cp /etc/skel/.?? /home/newuser

  1. Update ownership of home directory

        sudo chown -R newuser:newuser /home/newuser # (Mail sits in user’s home directory)

Jabber Setup

NOTE: Jabber account is automatically created when LDAP account is created. To view how process works, do the following:

  1. Connect to OpenVPN ssh crwth.ext.symas.net sudo -s cd /etc/ejabberd less ejabberd.cfg

LDAP Password Reset

1. SSH into tabla 2. Run the following command         sudo ldappasswd -S uid=,ou=people,dc=symas,dc=com 3. Enter password for sudo 4. Enter and confirm new temporary password for user

OpenVPN Setup

Follow the instructions in the following links:

  • OpenVPN Provisioning
  • OpenVPN Client Setup on Mac
  • OpenVPN Client Setup on Ubuntu/Debian

Notification Email

Send the following to the new employee:

=========================================================

Hello ,

Welcome on board! I have set up an account on our company LDAP server, Tabla. (Most physical machines have names of stringed instruments, and VMs have names of percussion.) This account should grant access to most services and machines. Changing your password for LDAP can be done either through LDAP or via the web service at https://symas.com/pwm/ .

    Username: newuser
    Password: temporary_password

Please change this immediately. These will be your main credentials for most services, including SSH to most servers.

Email access is via IMAPS/SSMTP:

    IMAP server: imap.symas.net, port 993, Require SSL
    SMTP server: smtp.symas.net, port 465, Require SSL

NOTE that this is symas.net, not symas.com

    Accountname: mnorman Password: Your normal LDAP password
    Account name to use in messages: Maryanne Norman

Jabber (aka XMPP):
    Domain: symas.com
    Username: LDAP UID
    Password: same as LDAP
    Port: 5222 (regular XMPP, but then select Require Encryption. This should do TLS over 5222) VPN:

OpenVPN:

For Mac - 1. Install the Shimo OpenVPN client from http://www.macupdate.com/app/mac/22929/shimo 2. Copy the attached ca.crt, client.crt, client.key, and crwth.ovpn files to a location of your choice on the machine 3. Start the Shimo app 4. Import the crwth.ovpn by accessing the Preferences>Profile section, clicking on the “+” and then selecting “Import from: OpenVPN Config” and pointing to the crwth.ovpn file. 5. After adding the config, you should be able to click the ‘connect’ button in the Shimo app and be connected to the Symas VPN.  Once that’s done, you should be set.

For Windows -

  1. Download the OpenVPN client from https://openvpn.net/index.php/open-source/downloads.html and run the installer
  2. Copy the attached ca.crt, client.crt, client.key and crwth.ovpn to C:Filesfor 64-bit installs, or C:Files (x86)for 32-bit installs
  3. Launch the OpenVPN client and when asked, point it to the crwth.ovpn file. The rest of the sign-in process should be automatic.

    Please let me or Greg Noe (gnoe@symas.com) know if you have any trouble connecting.

For SSH connectivity and tunneling: Use zill or crwth.ext.symas.net with your normal LDAP credentials. From either of those you can reach the rb machines.

You can also reach our virtual machines by accessing the vsphere web portal: https://tapan.rb.symas.net:9443/vsphere-client/ or by RDP connected to tapan.rb.symas.net (requires VPN connection be established first).

    Username: mnorman     Password: P@ssw0rd   

We do not have a full-time internal-IT person at the moment, but I can try to help with most things. Feel free to call me as needed at 650-963-7678. I am in central time and generally at my desk around 8 AM.

Warmest regards,

=========================================================