Sysadmin:User Management

From Earlham CS Department
Jump to navigation Jump to search

For user management, we use ldap on the host auth dot cs dot earlham dot edu (canonical name ldapvm). All user changes should be done on the ldap server unless otherwise stated.

Common commands

Run these commands from /root/ldap.

add_and_makehome.py: This script adds a new user in LDAP, sets a new random password, sends an email to the user, and make home directories including files like .bashrc ; .bash_profile and .profile for a list of users. In order to use this script, first, create a file and populate it with the info about new user in the following format: <first name>:<last name>:<username>:<email addr>:<login shell> . For example, one line in this file can be: John:Smith:jsmith15:jsmith15@earlham.edu:/bin/bash . You can also provide multiple lines of user info. After populating the file with information about the user, run the command: 

   python3 add_and_makehome.py <provide path to file>


add-user-to-group.py: This script adds existing user(s) to a specific group. Usage: python add-user-to-group.py -g <cn of the group> -u <uids of the users> . To use the script use the following command: 

   python3 add-user-to-group.py -g groupname -u username


ldapsearch.py: This is just a wrapper around the command ldapsearch. To use the script use the following command: 

   python3 ldapsearch.py -b <base of DN> -a <attribute=attribute value pair>

In the above command -b should either be "people" or "group", depending on what type of entries you are looking for. -a should be attribute and attribute value pair.


ldapdelete.py: This script is used to delete a user. To use the script run the following command: 

   python3 ldapdelete.py --uid testusername # see below for some additional necessary cleanup instructions


change-pass.py: This script resets user's password with a randomly generated one, and sends an email to the user. If you want to change the password to something specific, then use change-attribute.py. To use the script use the following command: 

   python3 change-pass.py -u username

E.g. Suppose, James forgot his password, then you would reset the password for his user with the command: python -u jsmith15


change-username.py: Changing the username a.k.a uid is not a part of change-attribute.py. uid is a part of DN (see the definition above), and changing a DN requires a different ldif. So, this script changes uid + DN, changes homeDirectory and moves the old homeDirectory under a different name. To use the script use the following command: 

    python3 change-username.py -u <old uid> -v <new value of uid>


change-attribute.py: This script gives you an ability to change any attribute in the user entry. To use the script use the following command: 

   python3 change-attribute.py -u username -a attribute_to_change -v value_for_the_attribute

Some of the possible valid attributes include: password, loginShell, mail, cn, sn

Additional details

Creating a user

There's a python script for the ldap server that is used for adding a user, at auth:/root/ldap/add_and_makehome.py.

The python script takes a file with a list of users, specifying full name, email address, username and login shell, as the input. The login shell option is available incase you want to add users that do not need to login. The python script does an ldapsearch for the last uidNumber used and adds one to it as the starting uidNumber for this batch. It can accept a list of users, where each user must be on a separate line. After adding each user, they are sent an email with their username and password.

The users.list file should follow this pattern:

<first name>:<last name>:<username>:<email addr>:<login shell>

Here's an example of a user.list:

John:Smith:josmith:josmith@email.test:/bin/bash
Jane:Smith:jasmith:jasmith@email.test:/bin/bash


To run the file: python3 add_and_makehome.py users.list, where users.list is the list of users you want to add. There should be some output on the screen once you run it. and it'll be clear whether or not it was successful. Once you add the users, you should test the new account with su - <username>.


Some Notes:

  • We almost always put our "user.list" files in the /root/ldap/userlists/ directory on the LDAP server. There are good examples there.
  • We typically make usernames that match the first section of a users Earlham email. abc123@earlham.edu would get a username of "abc123".

Deleting a user

To delete a user, you need to use the ldapdelete command. Run one of these commands depending on the machine, each will prompt you for the password of the ldap admin (manager).

On cs: 

  ldapdelete -v "uid=<username>,ou=people,dc=cs,dc=earlham,dc=edu" -D "cn=manager,dc=cs,dc=earlham,dc=edu" -W -x

If you want to completely delete the user, make sure you delete their home directory (/eccs/home/<username>, symlinked to other directories on each side).

Adding user to group

To add a user to a group, you need to user the ldapadd command and give it the name of an ldif file specifying the user and group. There's a sample ldif file at ldapvm:/root/ldap/add-user-to-group.ldif. In that file, you must specify the name of the user and the group that they need to be added to. Run:

On cs: 

  ldapadd -x -v -f add-user-to-group.ldif -D "cn=admin,dc=cs,dc=earlham,dc=edu" -w <cs LDAP password>
  • The group may take a while to appear when you run the command # id <user>, but give it some time.


To add a user to a group, the previous process has been modified (by Davit) to make the approach simpler. 

 python add-user-to-group.py -g *group* -u username

For example, if I want to add the user lovelace19 to the sudoers group, I would run the following command: 

 python add-user-to-group.py -g sudoers -u lovelace19

Removing user from group

For deleting a user from a group, you can use the ldapdelete command or the ldapmodify command giving it the name of an ldif file specifying the user and group. This task is pretty similar to adding a user to a group. There's a sample ldif file at auth:/root/ldap/del-from-grp.ldif. In that file, you must specify the name of the user and the group that they need to be removed from: 

  ldapdelete -f del-from-grp.ldif -D "cn=admin,dc=cs,dc=earlham,dc=edu" -wX

Changing a user's password

The way to change a user's password depends on whether or not the current password is known. A user can change their own password if they know their current one by using the command passwd. It will ask for their current password and then prompt them for a new one.

If a user doesn't know their password, then ldappasswd or ldapmodify will need to be used. Either way will work. If you choose to use ldapmodify then you need an ldif file that specifies the username, what you want to replace (userPassword) and the new value for it. There's an example file at net:/root/ldap-files/chg-pw.ldif. To run that:

On cs: 

  ldapmodify -f chg-pw.ldif -D "cn=manager,dc=cs,dc=earlham,dc=edu" -W -x

If you choose to use ldappasswd then you just have one command, replacing <username> with the actual username of the user:

On cs, which will prompt for the new password for the user (that's what the S is for) and then the password for admin. 

  ldappasswd -D "cn=manager,dc=cs,dc=earlham,dc=loc" "uid=<username>,ou=people,dc=cs,dc=earlham,dc=edu" -W -S
Retrieved from "https://wiki.cs.earlham.edu/index.php?title=Sysadmin:User_Management&oldid=18288"