Managing User Access and Groups

2.4.1.6.3 Managing User Access and Groups

LDAP authentication applies only to newly created users. Access to sudo and other system privileges is determined by group memberships.

Adding LDAP users to system groups

To grant LDAP users access to certain administrative commands, the provided utility allows adding users to system groups:

The specified groups must exist on the DSR system before adding users.
The utility supports adding multiple users to multiple groups simultaneously.

To add an LDAP user to a system group, perform the below command. Replace <LDAPUSER> with the username of LDAP user and <GROUP> with the system group name. The below command will add the user <LDAPUSER> to <GROUP> on all the servers of the topology.

/usr/TKLC/appworks/bin/ldapCliAuthentication.sh --add-user-to-group --user "<LDAPUSER>" --group "<GROUP>"

Example:

/usr/TKLC/appworks/bin/ldapCliAuthentication.sh --add-user-to-group --user "user1,user2" --group "group1,group2"

In this case, user1 and user2 (LDAP Users) will both be added to group1 and group2 for all the servers present in the topology.

Note:

LDAP users will only be available on the DSR system after LDAP has been configured by following the previous steps. Until that configuration is complete, user synchronization between the LDAP server and the DSR system will not take place.

Granting sudo privilege to LDAP user

To grant sudo permissions to LDAP users, add users to the admgrp group present in the DSR system. This can be performed by running the following command on the Active NOAM (Network Operations, Administration and Maintenance of the DSR system as the admusr.

/usr/TKLC/appworks/bin/ldapCliAuthentication.sh --add-user-to-group --user "<LDAPUSER>" --group "admgrp"

Avoiding CLI Errors during login

In case the LDAP user is receiving "Permission denied" error logs when logging to the DSR CLI (Command Line Interface), add the user to below awadm system group. This can be performed by running the below command on Active NOAM of DSR system as admusr.

/usr/TKLC/appworks/bin/ldapCliAuthentication.sh --add-user-to-group --user "<LDAPUSER>" --group "awadm"

The --add-user-to-group utility supports --hostnames flag. For more information, see Targeting Specific Servers.

Removing LDAP users from system groups

The script also provides a utility to remove LDAP users from system groups. This ensures that LDAP users can be removed from existing DSR group membership if required. To remove LDAP users from one or more DSR system groups, run the below command as admusr on Active NOAM server.

/usr/TKLC/appworks/bin/ldapCliAuthentication.sh --remove-user-from-group --user "<LDAPUSER>" --group "<GROUP>"

Example:

/usr/TKLC/appworks/bin/ldapCliAuthentication.sh --remove-user-from-group --user "user1,user2" --group "group1,group2"

In this case, user1 and user2 (LDAP users) will be removed from both the system groups, group1 and group2 from all the servers of topology.

Note:

This utility can only remove LDAP users from secondary groups, not from their primary group (GID). Primary group is the group which is set when the user is created in LDAP. To modify the primary group, changes must be made directly on the LDAP server.

The --remove-user-from-group utility supports --hostnames flag. For more information on hostnames flag, see Targeting Specific Servers.