(SIMP-10188) 389-DS Account Management (#433)

* (SIMP-10188) 389-DS Account Management

Added information on managing accounts in 389-DS

SIMP-10188 #close
SIMP-10189 #close

* CR updates

Author: trevor-vaughan

CHANGELOG

@@ -1,3 +1,6 @@
+* Wed Jun 30 2021 Trevor Vaughan <tvaughan@onyxpoint.com>
+- Add 389-DS documentation
+
 * Wed Jun 02 2021 Trevor Vaughan <tvaughan@onyxpoint.com>
 - Remove simp_bolt-related documentation
 

docs/changelogs/latest.rst

@@ -170,7 +170,7 @@ additional problems, please `submit an issue`_ to let use know.
   :depth: 2
   :local:
 
-.. _changelog-6.5.0-el8-client-limitations:
+.. _changelog-6.6.0-el8-client-limitations:
 
 Special considerations with EL8 clients
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

docs/user_guide/User_Management/LDAP.rst

@@ -15,7 +15,7 @@ server. Client system configurations have been tested to support either system
 as a LDAP server.
 
 .. toctree::
-   :maxdepth: 2
+   :maxdepth: 1
 
    389-DS <LDAP/389_DS>
    OpenLDAP <LDAP/OpenLDAP>

docs/user_guide/User_Management/LDAP/389_DS.rst

@@ -7,5 +7,6 @@ This section provides information on managing accounts in a SIMP-configured
 .. toctree::
    :maxdepth: 2
 
+   389-DS Cheat Sheet <389_DS/cheat_sheet>
    389-DS User Management <389_DS/manage_users>
    389-DS Group Management <389_DS/manage_groups>

docs/user_guide/User_Management/LDAP/389_DS/cheat_sheet.rst

@@ -0,0 +1,112 @@
+.. _ug-user_management-ldap-389_ds-cheat_sheet:
+
+The following provides base information for working with SIMP-managed
+:term:`389-DS` systems.
+
+For more information about getting started with 389-DS, see the
+`389-DS Quickstart`_
+
+File Locations
+==============
+
+* ``/etc/dirsrv``
+
+  * The default location for directory services
+
+* ``/usr/share/puppet_ds389_config``
+
+  * Information used to bootstrap the 389-DS instances. May, or may not, be
+    relevant once the system is fully operational.
+
+ds* Commands
+============
+
+389-DS uses a collection of commands for managing instances.
+
+Some of the more useful are listed below.
+
+.. NOTE::
+
+   It is important to know that the SIMP-managed 389-DS instances use an
+   account-to-DN mapping for the ``root`` user that automatically maps ``root``
+   to the administrative DN for the instance if you are using LDAPI.
+
+   This makes the administration process much easier for daily activities and is
+   recommended unless you need to manage the system remotely.
+
+dsctl - Directory Server Control
+--------------------------------
+
+* ``dsctl -l``
+
+  * List all instances on the system (ignore the ``slapd-`` prefix when
+    referencing them in other commands).
+
+* ``dsctl [instance_name] <start|stop|restart|status>``
+
+  * The easiest manner to manage the running state of your instances.
+
+* ``dsctl [instance_name] healthcheck``
+
+  * Check the instance for common issues
+
+dsconf - Directory Server Configuration
+---------------------------------------
+
+* ``dsconf [instance_name] config get``
+
+  * Print the main configuration of the specified instance.
+
+* ``dsconf [instance_name] security get``
+
+  * Print the security configuration of the specified instance.
+
+* ``dsconf [instance_name] pwpolicy get``
+
+  * Print the **global** password policy for the instance.
+
+* ``dsconf [instance_name] localpwp list``
+
+  * Print all known local password policies in the instance.
+
+* ``dsconf [instance_name] localpwp get [DN]``
+
+  * Print the details of the local password policy specified by ``[DN]`` (This
+    is one of the items output by ``localpwp list``).
+  * Note that local password policies are overrides to individual global
+    password policy entries.
+
+dsidm - Directory Server Identity Management
+--------------------------------------------
+
+The ``dsidm`` command provides account management capabilities and the usage is
+covered in detail in the account management sections.
+
+To make using ``dsidm`` easier, you may want to add something like the following
+to ``~/.dsrc``:
+
+.. code-block:: ini
+
+   [<instance_name>]
+   uri = ldapi://%%2fvar%%2frun%%2fslapd-<instance_name>.socket
+   basedn = <base DN>
+
+For a more concrete example, we will use the ``accounts`` instance provided by
+the ``simp/simp_ds389`` module.
+
+To find your base DN, you can run the following:
+
+.. code-block:: shell
+
+   dsidm accounts account list | head -1
+
+Assuming that our base DN is ``dc=local,dc=com``, our configuration file would
+look like the following:
+
+.. code-block:: ini
+
+   [accounts]
+   uri = ldapi://%%2fvar%%2frun%%2fslapd-accounts.socket
+   basedn = dc=local,dc=com
+
+.. _389-DS Quickstart: https://directory.fedoraproject.org/docs/389ds/howto/quickstart.html

docs/user_guide/User_Management/LDAP/389_DS/manage_groups.rst

@@ -1,11 +1,85 @@
 .. _ug-user_management-ldap-389_ds-manage_groups:
 
+Group Management in 389-DS
+=========================
+
+List 389-DS Groups
+------------------
+
+You can list all groups in the default SIMP :term:`389-DS` instance by running:
+
+.. code-block:: shell
+
+   dsidm accounts group list
+
+If running a SIMP-generated default instance, you should see the usual ``users``
+and ``administrators`` groups.
+
 Add a Group to 389-DS
-=====================
+---------------------
+
+To add a group to 389-DS, you can either run ``dsidm posixgroup create`` and it
+will prompt you for input or you can provide most parameters at the command line
+as follows:
+
+.. code-block:: shell
+
+   dsidm accounts posixgroup create --cn alice --gidNumber 1000
+
+.. NOTE::
+
+   Note the use of ``posixgroup`` instead of ``group`` when adding groups.
+
+   * ``posixgroup`` => POSIX-style groups generally used for system accounts.
+   * ``group`` => Regular LDAP groups which may be useful for external services.
+
+Remove a Group from 389-DS
+--------------------------
+
+To remove our `alice` group, run the following command:
+
+.. code-block:: shell
+
+   dsidm accounts group delete "<DN>"
+
+It will prompt you to type ``Yes I am sure`` to confirm deletion.
+
+To get the DN for the group run:
+
+.. code-block:: shell
+
+   dsidm accounts group get alice | head -1 | cut -f2- -d' '
+
+Get Information about a 389-DS Group
+------------------------------------
+
+Use the following command to get information about a specific group:
+
+.. code-block:: shell
+
+   dsidm accounts group get alice
+
+Add a User to a 389-DS Group
+----------------------------
+
+Use the following command to add a user to a group:
+
+.. code-block:: shell
+
+   dsidm accounts group add_member "<DN>"
+
+You can get the DN of a user by running:
+
+.. code-block:: shell
+
+   dsidm accounts user get <username> | head -1 | cut -f2- -d' '
 
-.. contents::
-   :local:
+It is important to note that, by default, referential integrity is **not**
+preserved between users and groups. This means that you will need to manually
+remove users from groups if you decide to delete a user.
 
-.. todo::
+If you want to change this behavior, you can enable the Referential Integrity
+Postoperation plug-in manually. However, this has ramifications in clustered
+environments so please read the `related documentation`_ before proceeding.
 
-   Add Stuff
+.. _related documentation: https://directory.fedoraproject.org/docs/389ds/design/referint-replication-design.html

docs/user_guide/User_Management/LDAP/389_DS/manage_users.rst

@@ -1,11 +1,105 @@
 .. _ug-user_management-ldap-389_ds-manage_users:
 
+User Management in 389-DS
+=========================
+
+List 389-DS Users
+-----------------
+
+You can list all users in the default SIMP :term:`389-DS` instance by running:
+
+.. code-block:: shell
+
+   dsidm accounts user list
+
 Add a User to 389-DS
-====================
+--------------------
+
+To add a user to 389-DS, you can either run ``dsidm user create`` and it will
+prompt you for input or you can provide most parameters at the command line as
+follows:
+
+.. code-block:: shell
+
+   dsidm accounts user create --uid alice --cn "Alice User" --displayName 'Alice' \
+     --uidNumber 1000 --gidNumber 1000 --homeDirectory /home/alice
+
+Remove a User from 389-DS
+-------------------------
+
+To remove our `alice` user, run the following command:
+
+.. code-block:: shell
+
+   dsidm accounts user delete <DN>
+
+It will prompt you to type ``Yes I am sure`` to confirm deletion.
+
+To get the DN for the user run:
+
+.. code-block:: shell
+
+   dsidm accounts user get alice | head -1 | cut -f2- -d' '
+
+Add a Password to a 389-DS User
+-------------------------------
+
+You may notice that this user has been created without a password. The command
+line options do not provide this capability so a password will need to be added
+afterwards.
+
+.. NOTE::
+
+  No matter which of the following methods you choose, the user will be prompted
+  to change their password at the next login by default.
+
+Interactive Reset
+^^^^^^^^^^^^^^^^^
+
+To be prompted for the user credentials, you can run the following:
+
+.. code-block:: shell
+
+   dsidm accounts account reset_password "<DN>"
+
+To obtain the ``DN`` run:
+
+.. code-block:: shell
+
+   dsidm accounts user get alice | head -1 | cut -f2- -d' '
+
+Direct Reset
+^^^^^^^^^^^^
+
+If you want to set the user's password directly, first generate the password
+using ``pwdhash``:
+
+.. code-block:: shell
+
+   pwdhash -D /etc/dirsrv/slapd-accounts "<plain_text_password>"
+
+Then run the following, pasting the output of the previous command into
+``<GENERATED_HASH>``:
+
+.. code-block:: shell
+
+   dsidm accounts user modify alice add:userPassword:<GENERATED HASH>
+
+
+Add a SSH Public Key to a 389-DS User
+-------------------------------------
+
+You can use the following command to add a SSH key to a 389-DS user:
+
+.. code-block:: shell
+
+   dsidm accounts user modify alice add:nsSshPublicKey:"<ssh-rsa AAA...>"
+
+Remove a SSH Public Key from a 389-DS User
+------------------------------------------
 
-.. contents::
-   :local:
+You can use the following command to remove a SSH key from a 389-DS user:
 
-.. todo::
+.. code-block:: shell
 
-   Add Stuff
+   dsidm accounts user modify alice delete:nsSshPublicKey:"<ssh-rsa AAA...>"