IdM Server Usage Guide#

The following instructions are an example of how to deploy IdM accounts. In the simpliest cluster there are three types of accounts. Administrator accounts which manage the systems, applications, and the users of the cluster. User accounts which allow individuals to access resources on the clluster. Automation accounts which are utilized by applications on the cluster to perform automated tasks like maintaince and updates.

In general, every user should have their own account; Administrators that also are users should have privledged and non-privledge accounts. Sharing of accounts should not be permitted.

In this guide three accounts, one of each type, will be created using the command line interface. The equivalent of these instructions can be done using the web interface at: https://idm.engwsc.example.com

Prerequisites#

References#

These instructions were written for FreeIPA 4.9.11

Instructions are based on the following documentation:
1. https://computingforgeeks.com/manage-users-and-groups-in-freeipa-using-cli/

Deployment Scripts#

An example bash script of the instructions has been provided: deploy-idm-users.sh

Deployment Steps#

Note

Instructions assume execution using the root account on the IdM server.

  1. Login using Kerberos authentication protocol:

Important

The kinit command will prompt for a password. This was the password created for the admin account during the IdM deployment.

kinit admin

# Password for admin@ENGWSC.EXAMPLE.COM:

Defaults#

  1. Create a default user group:

ipa group-add --desc="Default Linux Users group" users

# ------------------------
# Added group "users"
# ------------------------
#   Group name: users
#   Description: Default Linux Users group
#   GID: 292400024

  1. Configure default shell and group:

ipa config-mod --defaultshell="/bin/bash" --defaultgroup="users"

# Maximum username length: 32
# Maximum hostname length: 64
# Home directory base: /home
# Default shell: /bin/bash
# Default users group: users
# Default e-mail domain: engwsc.example.com
# Search time limit: 2
# Search size limit: 100
# User search fields: uid,givenname,sn,telephonenumber,ou,title
# Group search fields: cn,description
# Enable migration mode: FALSE
# Certificate Subject base: O=ENGWSC.EXAMPLE.COM
# Password Expiration Notification (days): 4
# Password plugin features: AllowNThash, KDC:Disable Last Success
# SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
# Default SELinux user: unconfined_u:s0-s0:c0.c1023
# Default PAC types: MS-PAC, nfs:NONE
# IPA masters: idm.engwsc.example.com
# IPA master capable of PKINIT: idm.engwsc.example.com
# IPA CA servers: idm.engwsc.example.com
# IPA CA renewal master: idm.engwsc.example.com

Administrator Account#

  1. Create a System Administrator group named sysadmins:

ipa group-add --desc="System administrators group" sysadmins

# -----------------------
# Added group "sysadmins"
# -----------------------
#   Group name: sysadmins
#   GID: 292400016

  1. Create a System Administrator account named adm0001:

Important

Record the random initial password.

Note

  1. In this example, “adm####” is the account format for System Administrators.

  2. Command creates a System Administrator account with no private group and a random initial password.

ipa user-add \
    --first="John" \
    --last="Doe" \
    --shell="/bin/bash" \
    --random \
    --noprivate \
    adm0001

# --------------------
# Added user "adm0001"
# --------------------
#   User login: adm0001
#   First name: John
#   Last name: Doe
#   Full name: John Doe
#   Display name: John Doe
#   Initials: JD
#   Home directory: /home/adm0001
#   GECOS: John Doe
#   Login shell: /bin/bash
#   Principal name: adm0001@ENGWSC.EXAMPLE.COM
#   Principal alias: adm0001@ENGWSC.EXAMPLE.COM
#   User password expiration: 20220918004649Z
#   Email address: adm0001@engwsc.example.com
#   Random password: 8Mh_g*0LHK_<9j[X}>[$/?
#   UID: 292400017
#   GID: 292400003
#   Password: True
#   Member of groups: users
#   Kerberos keys available: True

  1. Add System Administrator account adm0001 to sysadmins group:

ipa group-add-member sysadmins --users="adm0001"

#   Group name: sysadmins
#   GID: 292400016
#   Member users: adm0001
# -------------------------
# Number of members added 1
# -------------------------

  1. Create a Sudo rule for System Adminstrators:

Note

The sudo rule will allow a System Administrator to run any command on any node and to log in as any user.

ipa sudorule-add sudo_all \
    --hostcat="all" \
    --runasusercat="all" \
    --runasgroupcat="all" \
    --cmdcat="all"

# ------------------------------------
# Added Sudo Rule "sudo_all"
# ------------------------------------
#   Rule name: sudo_all
#   Enabled: TRUE
#   Host category: all
#   Command category: all
#   RunAs User category: all
#   RunAs Group category: all

  1. Add the sysadmins group to the Sudo rule sudo_all:

ipa sudorule-add-user sudo_all --group="sysadmins"

#   Rule name: sudo_all
#   Enabled: TRUE
#   Host category: all
#   Command category: all
#   RunAs User category: all
#   RunAs Group category: all
#   User Groups: sysadmins
# -------------------------
# Number of members added 1
# -------------------------

  1. Create System Adminstrators Home directory:

Note

Home directories are not automatically created when using IdM and NFS mounted paths. After an account has been created copying files from /etc/skel and setting permisions is required.

cp -r /etc/skel /home/adm0001
chown -R adm0001:sysadmins /home/adm0001
chmod 700 /home/adm0001

Ansible Account#

  1. Create a Automation group named ansible:

ipa group-add --desc="Automation group" ansible

  1. Create an Automation account named ansible:

Important

Record the random initial password.

Note

Create an automation account with no private group and a random initial password.

ipa user-add \
    --first="Ansible" \
    --last="Automation" \
    --shell="/bin/bash" \
    --random \
    --noprivate \
    ansible

  1. Add Automation account ansible to ansible group:

ipa group-add-member ansible --users="ansible"

  1. Create a Sudo rule for Automation account:

ipa sudorule-add sudo_all_nopasswd \
    --hostcat="all" \
    --runasusercat="all" \
    --runasgroupcat="all" \
    --cmdcat="all"

  1. Enable passwordless Sudo for the Automation Sudo rule:

Note

The sudo rule will allow the ansible account to run any command on any system as any user without providing a Sudo password. Passwordless Sudo is required for Ansible.

ipa sudorule-add-option sudo_all_nopasswd --sudooption='!authenticate'

# -------------------------------------------------------------
# Added option "!authenticate" to Sudo Rule "sudo_all_nopasswd"
# -------------------------------------------------------------
#   Rule name: sudo_all_nopasswd
#   Enabled: TRUE
#   Host category: all
#   Command category: all
#   RunAs User category: all
#   RunAs Group category: all
#   Sudo Option: !authenticate

  1. Add the ansible group to the Sudo rule sudo_all_nopasswd:

ipa sudorule-add-user sudo_all_nopasswd --group="ansible"

  1. Create Ansible’s Home directory:

Note

Home directories are not automatically created when using IdM and NFS mounted paths. After an account has been created copying files from /etc/skel and setting permisions is required.

cp -r /etc/skel /home/ansible
chown -R ansible:ansible /home/ansible
chmod 700 /home/ansible

User Account#

  1. Create a User account named usr0001:

Important

Record the random initial password.

Note

  1. In this example, “usr####” is the account format for Users.

  2. Command creates an User account with no private group and a random initial password.

ipa user-add \
    --first="John" \
    --last="Doe" \
    --shell="/bin/bash" \
    --random \
    --noprivate \
    usr0001

  1. Add User account usr0001 to users group:

Note

The user should already be in the “users” group.

ipa group-add-member users --users="usr0001"

  1. Create User’s Home directory:

Note

Home directories are not automatically created when using IdM and NFS mounted paths. After an account has been created copying files from /etc/skel and setting permisions is required.

cp -r /etc/skel /home/usr0001
chown -R usr0001:users /home/usr0001
chmod 700 /home/usr0001

Host Group / HBAC Rules#

HBAC Rules can be set to limit what nodes a user or group can access. It is recommended that User accounts only be able to SSH into the Slurm, User, and Compute nodes.

  1. Create usernodes Host Group:

Note

Host Group is a group of nodes. When user/computes nodes are added to the cluster they will need to be added to the Host Group before users can SSH into them.

ipa hostgroup-add --desc="User Accessible Nodes" usernodes

  1. Add nodes to usernodes Host Group:

Important

Nodes cannot be added to the host group until they have registered with IdM. When a new user node is added to the cluster, it must be registered with IdM and then it can be added to the host group.

ipa hostgroup-add-member --hosts="slurm.engwsc.example.com"  usernodes
ipa hostgroup-add-member --hosts="user01.engwsc.example.com" usernodes
ipa hostgroup-add-member --hosts="user02.engwsc.example.com" usernodes
ipa hostgroup-add-member --hosts="user03.engwsc.example.com" usernodes
ipa hostgroup-add-member --hosts="user04.engwsc.example.com" usernodes
ipa hostgroup-add-member --hosts="comp01.engwsc.example.com" usernodes
ipa hostgroup-add-member --hosts="comp02.engwsc.example.com" usernodes
ipa hostgroup-add-member --hosts="comp03.engwsc.example.com" usernodes
ipa hostgroup-add-member --hosts="comp04.engwsc.example.com" usernodes

  1. Create allow_sysadmins HBAC Rule:

Note

The allow_sysadmins HBAC rule allows System Administrators to access any node in the cluster.

# Create the rule
ipa hbacrule-add \
    --desc="Allow System Administrators to access all nodes" \
    --servicecat="all" \
    --hostcat="all" \
    allow_sysadmins

  1. Add System Administrator and Ansible groups to allow_sysadmins HBAC rule:

ipa hbacrule-add-user allow_sysadmins --group="sysadmins"
ipa hbacrule-add-user allow_sysadmins --group="ansible"

  1. Create allow_users HBAC Rule:

Note

The allow_users HBAC rule allows Users to access the user and compute nodes in the cluster.

ipa hbacrule-add \
    --desc="Allow Users to access user nodes" \
    --servicecat="all" \
    allow_users

  1. Add Users group to allow_users HBAC rule:

ipa hbacrule-add-user allow_users --group="users"

  1. Add usernodes Host Group to allow_users HBAC rule:

ipa hbacrule-add-host allow_users --hostgroups="usernodes"

  1. Disable Default allow_all HBAC rule:

ipa hbacrule-disable allow_all

  1. Test Access Permissions:

ipa hbactest --host idm.engwsc.example.com --service sshd --user adm0001
ipa hbactest --host idm.engwsc.example.com --service sshd --user ansible
ipa hbactest --host idm.engwsc.example.com --service sshd --user usr0001

ipa hbactest --host user01.engwsc.example.com --service sshd --user adm0001
ipa hbactest --host user01.engwsc.example.com --service sshd --user ansible
ipa hbactest --host user01.engwsc.example.com --service sshd --user usr0001