Introduction
This guide covers essential tasks for LDAP management, from accessing your admin account to advanced configurations, utilizing both CLI and web browser interface.


Using CLI

Accessing Your Admin Account

Retrieve Admin User and Password:

   - Locate the admin username in Morpheus' Cypher → secret/ipaadmin_username
   - Locate the password in Morpheus' Cypher → password/ipaadmin



Then SSH into your LDAP instance with your admin account:

ssh -J admin@ssh-proxy-ip admin@ldap-ip

Users and Groups

Check user info

ipa user-show <USERNAME>

Check existing groups

ipa group-find

Show group information

ipa group-show <GROUP_NAME>

Verify in which the group is the user

ipa group-find --user=<USERNAME>

Add a new user to a group

ipa group-add-member <GROUP_NAME> --users=<USERNAME>

Reset password for user

ipa passwd <USERNAME>   # and interactively add a new password

Add ssh keys for user

ipa user-mod <USERNAME> --sshpubkey="ssh-rsa 12345abcde= ipaclient.example.com"
 
ipa user-mod <USERNAME> --sshpubkey="$(cat /home/alice/.ssh/id_rsa.pub)"
 
# To upload multiple keys, pass a comma-separated list of keys with a single --sshpubkey option:
# --sshpubkey="12345abcde==,key2==,key3=="

List active users

ipa user-find --all

or

ipa user-find --all --raw | grep -iE '(dn:|krbLastSuccessfulAuth)' | cut -d ',' -f1 | cut -d: -f2 |  sed -re 's/([0-9]{4})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]{2})([0-9]+)Z/\3-\2-\1 \4:\5:\6/'

Add new user

ipa user-add <USERNAME> --first=<FIRSTNAME> --last=<LASTNAME> --password


Change password expiration

ipa user-mod <user>--password-expiration='2050-10-25 19:18:30Z'


DNS

DNS server forwarders

check which DNS server are present in LDAP

ipa dnsserver-find


DNS server add a forwarder

Add a forwarder DNS server to LDAP (e.g. 8.8.8.8)

ipa dnsserver-mod --forwarder=8.8.8.8

for multiple forwarders

ipa dnsserver-mod --forwarder=208.67.222.222 --forwarder=208.67.220.220 --forward-policy=[only|first|none] ipa02.archyslife.lan

Hosts

List hosts registered

ipa host-find

Show host

ipa host-show <host-name>

Remove host

ipa host-del <host-name>

List DNS zone

ipa dnszone-find

List DNS records in a DNS zone

ipa dnsrecord-find <zone-name>

Remove all associated DNS records from a DNS resource in a DNS zone

ipa dnsrecord-del <zone-name> <record-name> --del-all

Advanced

Add sudo rule to a group

Verify if a group exists

ipa group-find <GROUP_NAME>

Check if sudo rules exist

ipa sudorule-find

Create a sudo rule

The following sudo rules give access to everything, it can be customized with specific commands and more, see help for more information

ipa sudorule-add <SUDO_RULE_NAME> --hostcat=all --runasusercat=all --runasgroupcat=all --cmdcat=all

Add a sudo rule to a group

ipa sudorule-add-user <SUDO_RULE> --group <GROUP_NAME>

  



Using web browser interface

Accessing Your Admin Account

Retrieve Admin User and Password:

   - Locate the admin username in Morpheus' Cypher → secret/ipaadmin_username
   - Locate the password in Morpheus' Cypher → password/ipaadmin



Then SSH into your LDAP instance with your admin account:

ssh -J admin@ssh-proxy-ip admin@ldap-ip

Then start the IPA Server Control Interface by running:

ipactl start


Now reboot the LDAP VM. Find the IP address of your remote-desktop instance and use the x2goclient to access it. 

When you're in, right-click the desktop, launch a terminal, and run:

firefox http://ldap.YOURDOMAIN


Once Firefox has launched, log in with the admin account and head over to Policy.

Create two sudo commands as show in the screenshot below. 


Then click Sudo again and create a sudo rule called allow_all:

Click the command itself and check the boxes as show below:


Update the global policy for password expiration (default is 90 days which is a tad bit short):


After updating the password policy, reset the admin password so it adheres to the new policy and not the default 90 day one.

Update the default shell for users to bash instead of sh:


This guide is designed to help you efficiently manage LDAP tasks using both CLI and UI interfaces, ensuring a smooth and secure administration process.

  • No labels